Imperva Cyber Community

 View Only
  • 1.  ThreatRadar - Comment Spam IPs

    Posted 07-27-2022 04:00
    Hi all,

    While the default severity of this violation ThreatRadar - Comment Spam IPs is high, the default action is none instead of block. Any reason behind for this?

    Anyone has tried to change the default action to block? Do you experience quite a lot of false positive hit?


    Ken Chau
    IT Manager
    Central Hong Kong

  • 2.  RE: ThreatRadar - Comment Spam IPs

    Posted 07-27-2022 07:28

    ThratRadar is a very good tool to enrich the logs.
    I know from my experience that blocking IP only from IP lists might generate a lot of false positives.
    If you want to block traffic using IP from the TR, you can write your own security policies.
    Example - When the IP is on the Spam IPs list and is trying login to the application with bad credentials and is doing it more than 5 times in 10 seconds then block it.
    I think it is a good way to use the TR IP list to block traffic but when you are using it with additional criteria.

    Karol Gruszczyński
    IT Security Expert
    Trafford IT

  • 3.  RE: ThreatRadar - Comment Spam IPs

    Posted 07-27-2022 13:52
    Hi Ken,

    The Comment Spam IPs service identifies IP addresses of known comment spammers. This signature is created by Imperva ADC using the information SecureSphere customers community share on the Imperva ThreatRadar cloud, below is the link which will give more details on it,

    To answer your query, you can go ahead and change the action to block, if the protection is required from spam ip address, if any false positive, you can go ahead and add those ip address in the exception list.

    Syed Noor Fazal.
    Product Support Engineer.
    Imperva India.

    Syed Noor Fazal
    Product Support Engineer