What happened with the CBL false listings?

The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.


November 24, 2015 Widespread false positives
Earlier today, a very large scale Kelihos botnet event occured – by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn’t an unusual thing normally, the CBL/XBL has been successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.
The email was allegedly from the US Federal Reserve, saying something about restrictions in “U.S. Federal Wire and ACH online payments.” Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus, most likely Dyreza or Dridex malware.
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.
As per our policy, all entries of this type were purged (by about 19:05 UTC), and the detection heuristic removed.
If you were listed up to around 19:00 UTC, and the CBL lookup page appears to indicate that the IP is no longer listed, this is likely the explanation, and no further action is required on your part.


Out of curiosity I checked my own mailboxes. Since the first “Federal Reserve Spam” delivered at around 3:45 this morning, I’ve received 252 spams. 124 of those were the Kelihos bot spam. So it’s a good half of today’s spam volume. Yesterday’s total spam volume was around 328. A noticeable increase here.
 

Related Posts

dDOS spreads to the CBL

Spamhaus has mostly mitigated the dDOS against the Spamhaus website and mailserver, but now the CBL is under attack. They have been working to get that under protection as well, but it’s taking some time.
Right now there are no public channels for delisting from the CBL. The Spamhaus Blog will be updated as things change, and I’ll try and keep things updated here as well.
UPDATE: Cloudflare talks about the scope of the attack

Read More

ROKSO lawsuit settled

Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted.  Let me try to sum up.

Read More

Are botnets really the spam problem?

Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.

Read More