Increase in CBL listings
Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24
Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.
IP Address 10.10.10.10 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-11-24 16:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it’s participating in a botnet.
If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.
Various folks, including myself, reached out to Spamhaus. As of 10:30 am Pacific time I have confirmation directly from a Spamhaus volunteer that they are aware of the situation and are working to fix it.
What is the CBL?
The CBL is a blocklist designed specifically to pick up botnet infected machines. They monitor a lot of traffic and list IP addresses that exhibit characteristics of botnet infected machines.
What’s that mean in English?
Botnet code has some identifiable issues that lead to being able to identify machines that are infected with that botnet code. The CBL uses these “issues” to identify IP addresses sending botnet email and then lists them on the CBL and the XBL.
One very old example (not botnet, but something similar) is a piece of spamware from the late ’90s that had a broken timezone code – a timezone that did not exist. You could block that spam on the timezone. The CBL blocks on similar characteristics in current mail.
What happened here?
While I don’t have any details, my speculation is that there was a rule that caught a lot of ESP mail that shouldn’t have been caught. The alternative explanation is that a whole bunch of ESPs were simultaneously infected with kelihos. This is extremely unlikely because kelihos is a Microsoft infection and the listed IPs are running other operating systems. So unless there’s been a drastic change in kelihos and there was a coordinated infection against many ESPs, this is a mistake.
Right now, we wait for Spamhaus to bulk delist the IP addresses. As I said, I’ve personally spoken to one of the volunteers and they are working to resolve the issue. They expect things to be fixed soon (as of 11:10 Pacific).