The IP is infected with spamware, most recently detected at:
2009:04:07 ~16:00 UTC+/- 15 minutes (approximately 10 hours ago)
It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
in front of a machine that is infected with spam
2) It's directly infested with spam sending spamware.
This IP has or is NAT'ing for a pharma2 BOT infection
Note that while this description may seem vague, be assured that there is NO POSSIBILITY that this listing was caused by any form of legitimate mail or network activity. Secondly, there is also NO POSSIBILITY that the IP address was spoofed. Thirdly, the presence or lack of anti-virus software in your mail server CANNOT and DOES NOT prevent this from happening, because most of these infections contain their own mail clients, and they bypass your mail server software.
You will need to examine the machine for a virus or spam sending spyware/adware/worm.
Up-to-date anti-virus and anti-spyware tools are essential.
For NAT firewalls, we recommend you pay careful attention to the next paragraph:
If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers. Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
Running a combination of anti-spyware and anti-virus programs should help to find the malware.
It is unfortunate, however, the track record of current/popular Anti-Virus software at finding current and severe threats is abysmal.
In fact, recent studies have shown that "new" threats are only caught by _any_ of 35 of the most common A-V packages 23% of the time, and that only improves to 50% after a month. In other words, if you were running ALL of those 35 A-V products at once, a new threat would be caught only 23% of the time by _any_ of them.
(the seccheck tester) will probably be the most helpful in analyzing system security, as well as yielding information we can use to help others to find/kill it.
However, Seccheck requires considerable Windows system internals experience, and other tools may be more appropriate.
"Hijackthis" is similar to seccheck. There are online forums where you can upload hijackthis reports and have an expert analyse them, identify what is wrong, and make suggestions on how to fix it.
Perhaps one of the best tools for spot-removal of specific current and common threats without requiring very high levels of expertise is the Microsoft Malicious Software Removal tool (MSRT) at
MSRT is NOT a replacement for a good A-V scanner. It's just good at finding/removing many of the BOTs we detect (eg: cutwail, srizbi, storm, etc).
MSRT is continuously updated with new heuristics. If your copy of MSRT is more than a day or two old, download it from Microsoft again.
If this IP is a firewall, scanning/eradication of viruses on your internal network will NOT reliably keep the IP out of the CBL.
You MUST apply the configuration changes we recommend above to NAT firewalls.
If you are running Barracuda, you MUST turn off the "bounce spam and viruses" option. As spam and viruses are always forged, the "bounce" feature simply results in mailbombing innocent third parties with misdirected garbage - in other words, the Barracuda is spamming.
I've removed the entry from the list.
It may take a few hours to propogate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.
Other IP-based reputation lists are also listing your IP address:
Info: Barracuda (BRBL) blacklist
Blocked - see http://www.spamcop.net/bl.shtml?
Info: Hitting spam traps or generates high complaint/valid email ratio
Listed in PSBL, see http://psbl.surriel.com/listing?ip=
Info: See http://psbl.surriel.com/