Increase in CBL listings

Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24
cbl-logo-2012
Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.

IP Address 10.10.10.10 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-11-24 16:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it’s participating in a botnet.
If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

Various folks, including myself, reached out to Spamhaus. As of 10:30 am Pacific time I have confirmation directly from a Spamhaus volunteer that they are aware of the situation and are working to fix it.

What is the CBL?

The CBL is a blocklist designed specifically to pick up botnet infected machines. They monitor a lot of traffic and list IP addresses that exhibit characteristics of botnet infected machines.

What’s that mean in English?

Botnet code has some identifiable issues that lead to being able to identify machines that are infected with that botnet code. The CBL uses these “issues” to identify IP addresses sending botnet email and then lists them on the CBL and the XBL.
One very old example (not botnet, but something similar) is a piece of spamware from the late ’90s that had a broken timezone code – a timezone that did not exist. You could block that spam on the timezone. The CBL blocks on similar characteristics in current mail.

What happened here?

While I don’t have any details, my speculation is that there was a rule that caught a lot of ESP mail that shouldn’t have been caught. The alternative explanation is that a whole bunch of ESPs were simultaneously infected with kelihos. This is extremely unlikely because kelihos is a Microsoft infection and the listed IPs are running other operating systems. So unless there’s been a drastic change in kelihos and there was a coordinated infection against many ESPs, this is a mistake.

What now?

Right now, we wait for Spamhaus to bulk delist the IP addresses. As I said, I’ve personally spoken to one of the volunteers and they are working to resolve the issue. They expect things to be fixed soon (as of 11:10 Pacific).
 
 
 

Related Posts

Are botnets really the spam problem?

Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.

Read More

Dealing with blocklists, deliverability and abuse people

There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.
bingo__email__save_1
A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.

Read More

Biggest botnet takedown to date

Yesterday law enforcement officials arrested 6 people and charged them with running a massive internet fraud ring. Over 4 million PCs were part of the botnet.
According to the FBI

Read More