CBL Blacklisting continues to happen

Posted on 2013-10-09
Medium Priority
Last Modified: 2013-12-26
On Sunday 10/6/2013 at 4:00 p.m. CST our IP was blacklisted by CBL and they indicated we were infected with the ZeroAccess bot.

I ran the basic scans and found nothing.

I delisted our IP address and all was fine until today at 12:00 p.m. CST.  Again we were blacklisted (1 day, 23 hours later) and again we were told it was the ZeroAccess bot.

I went to each machine physically (there are only 9 machines including two servers).  I ran:

Norton Power Eraser
FixZeroAccess by Norton
Remove Rootkit by McAfee
Deep Scan by the installed VIPRE

Not one of them found ANY problem.

In addition I have a Cisco ASA firewall between the world and us and it is configured to ONLY allow SMTP port 25 traffic from the mail server - so no individual machine could be sending out mail by themselves.

I can understand one false positive, but two?  I have delisted us again but if I keep doing this we will be permanently blacklisted.

I also cannot seem to find CBL's email address to contact them directly.


Question by:Adam D
LVL 19

Expert Comment

ID: 39560768
Enable the SMTP log and check the IP which is consistently hitting the server.
Block 25 port for the the machines/server execpt Exchange server. Only exchange server should have access to 25 on firewall.

If you have exchange 2007/2010 then enable receive connector log and send connector log and check the IP.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39560898
This one seems to be getting on the blacklist because the bot has been detected, not because it has sent spam.
I found it by watching the firewall traffic for hits to odd IP addresses.


Accepted Solution

TMekeel earned 2000 total points
ID: 39561148
Just went through nearly the exact same situation yesterday and today.
My differences are I used ESET's tool to find it, and there were other malware found using Malwarebytes.

Have you tried telnetting out to another server on 25 from a non-mailserver to verify that the ASA is configured correctly?  It should time out from any other internal machine, but work from your mail server.

Run TDSSKiller from Kaspersky and ESET's sirefef removal tool on each machine (both are quick to download and also quick to scan.)  Do this on all machines, not just clients, but servers too!

The ZeroAccess isnt going to use your mailserver to go out, it has its own so Exchange logs arent going to be terribly helpful.

Do you have more than 1 IP?  If so direct all mail traffic out the other IP while you sort out the issue.

Do you have wifi and are there laptops on site that come and go?  Any guest wireless?  Standalone office or shared building space?
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!


Author Comment

by:Adam D
ID: 39561589
Thank you for your replies.

There are laptops that come and go, no guest wireless so it could be a private employee machine. I had not tried telnetting from another machine previously and I found out the ACL I created was apparently incorrect because I was able to telnet.

This is an ASA 5505 and here is my current ACL.  Please advise on the proper command to block anyone but the Exchange server IP, which is:  Unfortunately the ACL I just created blocks EVERYONE - so I am missing something.

x.x.x.x = outside public ip

access-list 101 extended permit tcp any host x.x.x.x eq www
access-list 101 extended permit tcp any host x.x.x.x eq smtp
access-list 101 extended permit tcp any host x.x.x.x eq pop3
access-list 101 extended permit tcp any host x.x.x.x eq 14238
access-list 101 extended permit tcp any host x.x.x.x eq 50000
access-list 101 extended permit tcp any any eq ftp
access-list acl_Outbound extended permit tcp host eq smtp any eq smtp
access-list acl_Outbound extended deny tcp any eq smtp any eq smtp

access-group acl_Outbound out interface inside
access-group 101 in interface outside
access-group acl_Outbound out interface outside

As for the TDSS and ESET I will run those as well.


Author Comment

by:Adam D
ID: 39568467
Any comments?

Expert Comment

ID: 39568506
You would want to allow both smtp and 587 to the Exchange server.  And also, block 25 on the "in" side of the inside interface.  It's the local clients you do not want going out.  Unless they need to go through ASA to get to your Exchange server.


Author Comment

by:Adam D
ID: 39576357
Thanks TMekeel.  I modifed my acl_Outbound to the following

access-list acl_Outbound line 1 extended permit tcp host <allowed IP> eq smtp any eq smtp
access-list acl_Outbound line 2 extended deny tcp any eq smtp any eq smtp
access-list acl_Outbound line 3 extended permit ip any any

access-group acl_Outbound in interface inside


If I run "packet-tracer" on the firewall it shows the packet being dropped if not from the allowed IP and allowed from the allowed IP.

But if I run a command prompt on a non-authorized machine and enter:  

telnet <outside smtp machine> 25

the outside smtp machine will answer.

So, is the rule working and if so why does the outside smtp machine answer my query on port 25?


Expert Comment

ID: 39576411
You are blocking smtp not port 25. So tcp over 25 works.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

What is the biggest problem in managing an exchange environment today? It is the lack of backups, disaster recovery (DR) plan, testing of the DR plan or believing that it won’t happen to us.
Disk errors can be the source of sundry problems for the Exchange server, the most common one being that the database fails to mount.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question