Listed on Spamhaus Project Composite Blocking List

A few hours ago we were reported on the Spamhaus Project Composite Blocking List. We are trying to find out why, the source record and removal from this list. We have numerous clients we are unable to send email to at this time. The CBL just has a link for removal but we want to find the source so this does not keep happening.

Any assistance offered would be greatly appreciated.
regsampAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SsbMsCommented:
You have to dig into SMTP gateway logs for with top sender also check reply to address.. such issue accrue when any cloud hosted/internet facing application sending such mails to internet with illegal information. You may can say spoofing
0
regsampAuthor Commented:
Can you give more specific steps as I am not sure I understood correctly?
0
Simon Butler (Sembee)ConsultantCommented:
Have you actually queried the Spamhaus database?
CBL is something else completely. It is another list that contains the Spamhaus list. You need to follow the trail with the various blacklist lookups. Those will then tell you why you have been listed.

Most common reason is you have a compromised machine on your network and it is sending out spam. Main reason for giving Exchange its own IP address.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

regsampAuthor Commented:
Some users are getting the following message back with rejected email:  Client host [xxx.xx.xxx.xxx] blocked using Spamhaus Blocklist, mail from IP banned; To request removal from this list see http://www.spamhaus.org/query/bl?ip=xxx.xx.xxx.xxx     

When we go to the link we go to the website and we are getting a message that our IP is on the CBL list and it is because of the "ZeroAccess".bot instance. We are currently scanning every machine in the domain with Malwarebytes and Kaspersky.
0
Simon Butler (Sembee)ConsultantCommented:
Do your users need to access external SMTP servers?
If not, then block port 25 for everything but the Exchange server. Then increase the logging on the firewall and see what is trying to access the outside world.

Simon.
0
regsampAuthor Commented:
They do not. After all the scans being done and everything being removed that looked bad, we are monitoring to see what happens. I will see about blocking the port if this starts to happen again and hopefully we can see what is happening with the firewall logs.
0
Simon Butler (Sembee)ConsultantCommented:
Funnily enough, I am dealing with this exact issue, same bot, same blacklist, right now. One of my clients got blacklisted yesterday, so it has to be something new.
I have tracked the machine down by monitoring the firewall for HTTP traffic - the BOT doesn't send out much spam, but it does try to query a lot of IP addresses in some weird countries.

Simon.
0
regsampAuthor Commented:
We have a new SonicWall so I am still learning the logging but that is a good idea to just try and narrow it down with SonicWall staff and just constantly check the activity. Did you run malwarebytes for the BOT or you needed something different?
0
Simon Butler (Sembee)ConsultantCommented:
I haven't actually got on to the infected machine yet. I have identified it and put it in a blackhole (no default gateway) to stop the traffic, just waiting to get on the system - it is a machine of a director (And XP as well). Not sure what will remove it yet.

Simon.
0
regsampAuthor Commented:
Okay. I was just curious if you had and if you did what removed it. I would be curious if you could let me know when you do. Thank you.
0
patrickjmaloneyCommented:
I am dealing with this exact scenario.  We are getting blacklisted for ZeroAccess.  I have scanned every machine in the network and cannot find any signs of this particular bot.  Any advice would be appreciated.
0
patrickjmaloneyCommented:
Simon - How did you locate the infected machine?  That is currently my biggest challenge.
0
Simon Butler (Sembee)ConsultantCommented:
The client has a Draytek Vigor.
I watched the logs for a lot of unknown host traffic on port 80 (which is the workstation trying to connect to a C&C server). It stuck out a lot.

When I got to the workstation, the AV software had dealt with it. The user was only a regular user, not an admin, so it wasn't able to get heavily integrated.

Blocking port 25 outbound will probably help as well, although this bot doesn't send much spam.

Simon.
0
regsampAuthor Commented:
I just used Malwarebytes and scanned every system and found the bot, removed it and okay now. Thank you for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.