"You don't have permission to access http://www.XXXXX.com on this server

More weirdness...
I changed the wan mac address (incremented it by one) on the router, rebooted it, and I was able to access the sites. I put it back (without rebooting) and I could not access them. I incremented it again (without rebooting) and I could access them again.

The problem is definitely in the router and has something to do with the mac address settings.

No, the router itself (at least in a normal configuration) won't do anything that the CDNs and the spam agencies behind them would consider sending spam mail or an abuse of their services. You're mixing up cause and effect here, changing the WAN MAC address only pushes your ISP's DHCP server to hand out a different IP address, when your old one has been burned by doing something that is considered naughty by one of the CDNs or spam fighting sites.


slh you are 100% correct! I had no idea that the isp would change the ip address that fast (literally a few seconds passed between my changes).
At least I know how to get a new address quickly if/when it happens again!

I called the isp earlier today and they said that the modem was reporting a lot of errors so they reset it (I own the hardware). Of course it didn't correct the problem. Is it possible there is an issue with the modem? I have not logged into the modem yet...

@jordanthompson - if it happens again, it would point to a potential issue on your network (as compared to an inherited problem from some other user previously using a specific IP address).

My recommendation would be to make note of your current IP address (now, while things are good) and then if you see the problem again, compare the IP address at that time vs what you have right now. If the IP hasn't changed, there is a high likelihood that something on your network is responsible for spamming/DoS/other attacks on one or more of the sites served by the spam prevention groups. At that point, you can start to investigate which device(s) are participating in some bot-net or other odd behavior.

You being on cable internet (usually long DHCP lease times) and having experienced this twice within a very short time should should be reason enough to give your LAN and all connected devices a very thorough audit (is there an open proxy, a DNS server answering on WAN, a tor exit node, a mail server, some rogue scripts doing automated web queries/ using a shady API key, security cameras or other IoT devices being part of a shady 'cloud service', you being part of a botnet, users trying to circumvent region locks with leaky methods, active torrent use, etc. pp., ...).

I changed the MAC address of the router a week ago and got a new IP address for my modem.
I disabled all of my IoT devices (turned off the wireless they were connected to).
After waiting a week, I started enabling the WiFi (I have several routers acting as access points) with a very short (1m) radius trying to localize what was able to access the internet.
Yesterday I removed power to a RCA doorbell (that I thought may be causing the issue as it has been a bear to deal with) and turned everything on with normal operating WiFi radius. No issues...
I just connected the doorbell this morning and I am still able to access all of my test URL's.
So I am still confused about what is going on. Perhaps it was never anything in my house and I just (unluckily) happened to get two IP's that had been compromised. Or perhaps this problem will rear its ugly head again!

It is possible that you just had bad luck, yes, but if you experience the symptom of being banned a 3rd time, that would be pretty clear evidence that something is amiss on your network.

I would suggest that a few hours of testing may not be sufficient to figure out if you have a rouge device. It may take several days or more before you see the problem arise again if it is indeed coming from one of your devices. Especially if one is actually compromised with malware -- it could be waiting for instructions from a C&C server and that could happen at any time in the future.

Make sure all devices on your network are up to date with firmware/software/security/Anti-Virus updates. Also ensure that you have proper security on your wifi (and even physical security for your wired network). Double check to make sure everything is properly configured in general and that there is a reason for each device to be online -- if it is not needed, take it offline for a few weeks; re-introduce 1 device at a time per week or so and observe for any odd behavior.

BTW, limiting the physical range of your wifi doesn't necessarily solve your security issue, if there is something that should not be attached to your network. Make sure you have proper security (WPA2 Personal) and a good password... maybe even change the password. Further, mapping out the MAC addresses of your devices can help you make sure that you know what is on the network -- it is faster to identify a device that does not belong on your network if you can identify and then isolate it by MAC address (yes, that could be spoofed, too, but starting simple).

I only limited the range to help isolate devices while trouble shooting. I have changed the passwords on all of the routers and IoT devices and everything is on WPA2. I have also mapped all devices and know what is on my network.

thanks for your suggestions, this is a real hairball and since it is sporadic, it is frustrating to debug

1 Like