This came as a surprise today, I setup a server-based RSS reader and could not get WHT's forum RSS feeds. A little digging revealed it was the default APF installation that was blocking the 126.96.36.199/8 range, which includes WHT and a chunk of Softlayer's ip range.
The quick fix is easy, just remove that range from the /etc/apf/internals/reserved.networks file and restart, in the latest apf version, I don't know how many apf versions back this block goes.
The APF folks do a fantastic job in keeping APF up to date, but this seems to be recent update to this particular ip range that hasn't made it into APF yet.
It turns out that newer versions of APF already have a built-in solution to this and future address space allocations as the internet grows. The DLIST_* options can be turned on in conf.apf for automatic update downloads.
The particular option for newly allocated ip address blocks is DLIST_RESERVED, set it to "1" and new ip blocks will stop being blocked by APF. According to the response I got from the APF group, 174/8 has already been updated, it only appears after updates are enabled though.
The APF built-in solution is obviously better than my original quick-fix suggestion.
Those of you who use my exploited servers blocklist are already aware that Softlayer's IP range is in the list of servers being exploited for spam and hosting malware. The IP range is expressed as what is known as a CIDR and in the case of Softlayer the CIDR to block is 188.8.131.52/16 - which covers all IP addresses from 184.108.40.206 through 220.127.116.11. The CIDR assigned to the infected Italian website is 18.104.22.168/28. This message has already been reported to SpamCop, by numerous reporting recipients. They will notify the companies involved in hosting this malware threat, but, the timing of this spam threat is no coincidence. This threat was released on the Easter long holiday weekend, when support personnel may be out or short-handed until Tuesday, in the hopes of maximizing the usability of the ruse.