• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2296
  • Last Modified:

Sent email rejected due to spamhaus CBL listing reported as s_gozi infection

I am getting a rejection message from an email sent via Outlook 2010 and SBS 2011 / Exchange to an outside email address. It gives a message indicating that Spamhaus has listed the IP address of the organization in the CBL with the following message (IP changed for security - the actual message contained our public-facing IP address.):

IP Address 192.168.1.100 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2012-08-21 19:00 GMT (+/- 30 minutes), approximately 8 hours ago.

This IP is infected with, or is NATting for a machine infected with s_gozi

Note: If you wish to look up this bot name via the web, remove the "s_" before you do your search.

This was detected by observing this IP attempting to make contact to a s_gozi Command and Control server, with contents unique to s_gozi C&C command protocols.

What steps do I need to take to determine the severity and remove the threat? I have clicked on the link to delist the IP address, so that should get the email flowing again but I need to address this issue the right way.
0
Norm Dickinson
Asked:
Norm Dickinson
  • 4
  • 3
1 Solution
 
fjkaykr11Commented:
I had a similar problem a while ago with our email server on our domain being blocked.  From what I can recall I had to contact http://www.spamhaus.org/ and request removal from their blacklist.  Also, I had to identify and fix the infected computer on the network that was being used a spambot.  It took about 2 hours to be removed from the list.
0
 
Norm DickinsonGuruAuthor Commented:
Yes, I have requested the removal from the list but cannot detect any infections. We are using McAfee VirusScan Enterprise with all the updates and the messages states that this is a particularly hard infection to detect. Are there tools specificially designed for it or particular tracks it leaves?
0
 
fjkaykr11Commented:
I had the same problem with the AV software (Norton EndPoint Protection) not picking it up either.  I was able to find the infected computer because it wasn't connecting to the internet properly.  I had to reinstall the OS on it.  At the time I discover the problem -- someone else mentioned that the SMTP Service shouldn't be running on the workstation - that might the computer that is infected if it is.  I made sure that wasn't disabled.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Norm DickinsonGuruAuthor Commented:
I was really hoping for a detailed answer on detection and removal instructions. However, you gave it your best shot so I am going to mark this answer as accepted - and resubmit my question with a slightly different wording, hoping for a better answer. Please ignore that one? Thanks.
0
 
Norm DickinsonGuruAuthor Commented:
Was looking for a detailed answer and this was very general...thanks for trying.
0
 
fjkaykr11Commented:
That is how I resolved my issue. In some cases you have to leave a question up for a few more days to get more detailed feedback.
0
 
Norm DickinsonGuruAuthor Commented:
Thanks again. I know that was solid advice and what you needed to solve your problem, which is why I marked your answer as correct and awarded points. I didn't give it a full A rating due to the general nature of it and I have since posted the question again in a slightly different wording and gotten the answer I was looking for. Feel free to review it for your own use.

http://www.experts-exchange.com/Software/Internet_Email/Email/Anti_Spam/Q_27839500.html#a38324691
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now