Sent email rejected due to spamhaus CBL listing reported as s_gozi infection
Posted on 2012-08-21
I am getting a rejection message from an email sent via Outlook 2010 and SBS 2011 / Exchange to an outside email address. It gives a message indicating that Spamhaus has listed the IP address of the organization in the CBL with the following message (IP changed for security - the actual message contained our public-facing IP address.):
IP Address 192.168.1.100 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2012-08-21 19:00 GMT (+/- 30 minutes), approximately 8 hours ago.
This IP is infected with, or is NATting for a machine infected with s_gozi
Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.
This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.
What steps do I need to take to determine the severity and remove the threat? I have clicked on the link to delist the IP address, so that should get the email flowing again but I need to address this issue the right way.