Solved

Need to be unblocked by CBL

Posted on 2009-04-07
7
1,394 Views
Last Modified: 2013-11-22
The IP is infected with spamware, most recently detected at:

2009:04:07 ~16:00 UTC+/- 15 minutes (approximately 10 hours ago)


It will be one of the following scenarios:

1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

Note that while this description may seem vague, be assured that there is NO POSSIBILITY that this listing was caused by any form of legitimate mail or network activity.  Secondly, there is also NO POSSIBILITY that the IP address was spoofed.  Thirdly, the presence or lack of anti-virus software in your mail server CANNOT and DOES NOT prevent this from happening, because most of these infections contain their own mail clients, and they bypass your mail server software.

You will need to examine the machine for a virus or spam sending spyware/adware/worm.

Up-to-date anti-virus and anti-spyware tools are essential.

For NAT firewalls, we recommend you pay careful attention to the next paragraph:

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.

Running a combination of anti-spyware and anti-virus programs should help to find the malware.

It is unfortunate, however, the track record of current/popular Anti-Virus software at finding current and severe threats is abysmal.
In fact, recent studies have shown that "new" threats are only caught by _any_ of 35 of the most common A-V packages 23% of the time, and that only improves to 50% after a month.  In other words, if you were running ALL of those 35 A-V products at once, a new threat would be caught only 23% of the time by _any_ of them.

http://www.mynetwatchman.com/tools/sc/ (the seccheck tester) will probably be the most helpful in analyzing system security, as well as yielding information we can use to help others to find/kill it.
However, Seccheck requires considerable Windows system internals experience, and other tools may be more appropriate.

"Hijackthis" is similar to seccheck.  There are online forums where you can upload hijackthis reports and have an expert analyse them, identify what is wrong, and make suggestions on how to fix it.

Perhaps one of the best tools for spot-removal of specific current and common threats without requiring very high levels of expertise is the Microsoft Malicious Software Removal tool (MSRT) at

      http://www.microsoft.com/security/malwareremove/default.mspx

MSRT is NOT a replacement for a good A-V scanner.  It's just good at finding/removing many of the BOTs we detect (eg: cutwail, srizbi, storm, etc).

MSRT is continuously updated with new heuristics.  If your copy of MSRT is more than a day or two old, download it from Microsoft again.


If this IP is a firewall, scanning/eradication of viruses on your internal network will NOT reliably keep the IP out of the CBL.
You MUST apply the configuration changes we recommend above to NAT firewalls.
If you are running Barracuda, you MUST turn off the "bounce spam and viruses" option.  As spam and viruses are always forged, the "bounce" feature simply results in mailbombing innocent third parties with misdirected garbage - in other words, the Barracuda is spamming.
I've removed the entry from the list.
It may take a few hours to propogate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.
Other IP-based reputation lists are also listing your IP address:

  http://www.barracudanetworks.com/reputation/?pr=1&ip=      Info: Barracuda (BRBL) blacklist
  Blocked - see http://www.spamcop.net/bl.shtml?      Info: Hitting spam traps or generates high complaint/valid email ratio
  Listed in PSBL, see http://psbl.surriel.com/listing?ip=      Info: See http://psbl.surriel.com/


0
Comment
Question by:s0nic
  • 4
  • 3
7 Comments
 
LVL 15

Expert Comment

by:xmachine
ID: 24093847
Hi,

You need to do the following:

1) Check your Internet gateways and find any leak (ACL or FW policies) that may allow outbound SMTP traffic from workstations.

2) Only allow your authorized mail server to send outbound SMTP traffic

3) Trace the source of infection and disconnect it

4) Check your MX IP against BL and start contacting them (http://www.mxtoolbox.com/blacklists.aspx)

5) If the SPAM traffic is not stopped, you may face permanent blacklisting.


The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

http://www.arbornetworks.com/
http://www.genienrm.com/
http://www.narus.com/
http://www.lancope.com/
http://www.flukenetworks.com/

4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.towerdata.com/services/email/deliverability/repcheck.html

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

A Symantec Certified Specialist @ your service
0
 

Author Comment

by:s0nic
ID: 24100323
So I've install AV on all computers and malwarebytes on all computers and I've ran a scan on all. Everything checks out clean and I've ran it twice. As for my firewall port 25 is only used by my exchange server. However, I have 3 users here that are using pop they are not part of the company but they use the same outgoing ip address. What I did was I created a firewall rule for them for pop and smtp just for their address range. I hope that helps. I've also ran all AV and malwarebytes on their computer. So far only one has checked out bad, but it has been cleaned. My firewall doesn't show any signs of smtp bouncing back or being blocked.

Could that be the problem the 3 users? Even though they check out clean?
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24104514
One of them could be the source of SPAM e-mails. You need to be careful next time when you give normal users the permission to send e-mails through the FW.

Did you contact the blacklist site administrator/support to de-list your MX ?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:s0nic
ID: 24112625
Yes I did. So far after running all the AV on all machines today I'm only listed in 2 instead of 4. I don't know what happened there. However I'm noticing a lot more emails have gone through yet new ones are being blocked??
0
 
LVL 15

Accepted Solution

by:
xmachine earned 500 total points
ID: 24115433
You need to monitor the blocked connections, and trace back to the source and clean the infections. You need to contact the remaining blacklist administrators and fill the de-listing form.
0
 

Author Closing Comment

by:s0nic
ID: 31567850
Thanks for the step by step instructions. So far were on our way to good. Any remaining blacklist will be contacted.
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24135198
My pleasure :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now