How to determine the source of spam or virus email
Posted on 2013-10-09
We have an Exchange 2003 server and Barracuda email filtering system internally. One of our IP addresses has been listed in CBL list. We got a message from CBL organization as attached below. How can we find out the source of spam email?
Your help is very appreciated.
CBL Lookup Utility
IP Address 50.193.X.X is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.
It was last detected at 2013-10-07 18:00 GMT (+/- 30 minutes), approximately 23 hours ago.
This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.
REMEMBER: ZeroAccess is NOT primarily an Email spamming tool.
Norton Power Eraser is known to be able to remove ZeroAccess.
WARNING: If you continually delist 50.193.X.X without fixing the problem, the CBL will eventually stop allowing the delisting of 50.193.X.X.
If you have resolved the problem shown above and delisted the IP yourself, there is no need to contact us.
Click on this link to delist 50.193.X.X