Need to be unblocked by CBL

The IP is infected with spamware, most recently detected at:

2009:04:07 ~16:00 UTC+/- 15 minutes (approximately 10 hours ago)

It will be one of the following scenarios:

1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

Note that while this description may seem vague, be assured that there is NO POSSIBILITY that this listing was caused by any form of legitimate mail or network activity.  Secondly, there is also NO POSSIBILITY that the IP address was spoofed.  Thirdly, the presence or lack of anti-virus software in your mail server CANNOT and DOES NOT prevent this from happening, because most of these infections contain their own mail clients, and they bypass your mail server software.

You will need to examine the machine for a virus or spam sending spyware/adware/worm.

Up-to-date anti-virus and anti-spyware tools are essential.

For NAT firewalls, we recommend you pay careful attention to the next paragraph:

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.

Running a combination of anti-spyware and anti-virus programs should help to find the malware.

It is unfortunate, however, the track record of current/popular Anti-Virus software at finding current and severe threats is abysmal.
In fact, recent studies have shown that "new" threats are only caught by _any_ of 35 of the most common A-V packages 23% of the time, and that only improves to 50% after a month.  In other words, if you were running ALL of those 35 A-V products at once, a new threat would be caught only 23% of the time by _any_ of them. (the seccheck tester) will probably be the most helpful in analyzing system security, as well as yielding information we can use to help others to find/kill it.
However, Seccheck requires considerable Windows system internals experience, and other tools may be more appropriate.

"Hijackthis" is similar to seccheck.  There are online forums where you can upload hijackthis reports and have an expert analyse them, identify what is wrong, and make suggestions on how to fix it.

Perhaps one of the best tools for spot-removal of specific current and common threats without requiring very high levels of expertise is the Microsoft Malicious Software Removal tool (MSRT) at

MSRT is NOT a replacement for a good A-V scanner.  It's just good at finding/removing many of the BOTs we detect (eg: cutwail, srizbi, storm, etc).

MSRT is continuously updated with new heuristics.  If your copy of MSRT is more than a day or two old, download it from Microsoft again.

If this IP is a firewall, scanning/eradication of viruses on your internal network will NOT reliably keep the IP out of the CBL.
You MUST apply the configuration changes we recommend above to NAT firewalls.
If you are running Barracuda, you MUST turn off the "bounce spam and viruses" option.  As spam and viruses are always forged, the "bounce" feature simply results in mailbombing innocent third parties with misdirected garbage - in other words, the Barracuda is spamming.
I've removed the entry from the list.
It may take a few hours to propogate to the public nameservers.
WARNING: the CBL WILL relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.
Other IP-based reputation lists are also listing your IP address:      Info: Barracuda (BRBL) blacklist
  Blocked - see      Info: Hitting spam traps or generates high complaint/valid email ratio
  Listed in PSBL, see      Info: See

Who is Participating?
You need to monitor the blocked connections, and trace back to the source and clean the infections. You need to contact the remaining blacklist administrators and fill the de-listing form.

You need to do the following:

1) Check your Internet gateways and find any leak (ACL or FW policies) that may allow outbound SMTP traffic from workstations.

2) Only allow your authorized mail server to send outbound SMTP traffic

3) Trace the source of infection and disconnect it

4) Check your MX IP against BL and start contacting them (

5) If the SPAM traffic is not stopped, you may face permanent blacklisting.

The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance,

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

A Symantec Certified Specialist @ your service
s0nicAuthor Commented:
So I've install AV on all computers and malwarebytes on all computers and I've ran a scan on all. Everything checks out clean and I've ran it twice. As for my firewall port 25 is only used by my exchange server. However, I have 3 users here that are using pop they are not part of the company but they use the same outgoing ip address. What I did was I created a firewall rule for them for pop and smtp just for their address range. I hope that helps. I've also ran all AV and malwarebytes on their computer. So far only one has checked out bad, but it has been cleaned. My firewall doesn't show any signs of smtp bouncing back or being blocked.

Could that be the problem the 3 users? Even though they check out clean?
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

One of them could be the source of SPAM e-mails. You need to be careful next time when you give normal users the permission to send e-mails through the FW.

Did you contact the blacklist site administrator/support to de-list your MX ?
s0nicAuthor Commented:
Yes I did. So far after running all the AV on all machines today I'm only listed in 2 instead of 4. I don't know what happened there. However I'm noticing a lot more emails have gone through yet new ones are being blocked??
s0nicAuthor Commented:
Thanks for the step by step instructions. So far were on our way to good. Any remaining blacklist will be contacted.
My pleasure :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.