Increase in CBL listings

Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24
cbl-logo-2012
Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.

IP Address 10.10.10.10 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.
It was last detected at 2015-11-24 16:00 GMT (+/- 30 minutes), approximately 2 hours, 30 minutes ago.
This IP is infected (or NATting for a computer that is infected) with the kelihos spambot. In other words, it’s participating in a botnet.
If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

Various folks, including myself, reached out to Spamhaus. As of 10:30 am Pacific time I have confirmation directly from a Spamhaus volunteer that they are aware of the situation and are working to fix it.

What is the CBL?

The CBL is a blocklist designed specifically to pick up botnet infected machines. They monitor a lot of traffic and list IP addresses that exhibit characteristics of botnet infected machines.

What’s that mean in English?

Botnet code has some identifiable issues that lead to being able to identify machines that are infected with that botnet code. The CBL uses these “issues” to identify IP addresses sending botnet email and then lists them on the CBL and the XBL.
One very old example (not botnet, but something similar) is a piece of spamware from the late ’90s that had a broken timezone code – a timezone that did not exist. You could block that spam on the timezone. The CBL blocks on similar characteristics in current mail.

What happened here?

While I don’t have any details, my speculation is that there was a rule that caught a lot of ESP mail that shouldn’t have been caught. The alternative explanation is that a whole bunch of ESPs were simultaneously infected with kelihos. This is extremely unlikely because kelihos is a Microsoft infection and the listed IPs are running other operating systems. So unless there’s been a drastic change in kelihos and there was a coordinated infection against many ESPs, this is a mistake.

What now?

Right now, we wait for Spamhaus to bulk delist the IP addresses. As I said, I’ve personally spoken to one of the volunteers and they are working to resolve the issue. They expect things to be fixed soon (as of 11:10 Pacific).
 
 
 

Related Posts

dDOS spreads to the CBL

Spamhaus has mostly mitigated the dDOS against the Spamhaus website and mailserver, but now the CBL is under attack. They have been working to get that under protection as well, but it’s taking some time.
Right now there are no public channels for delisting from the CBL. The Spamhaus Blog will be updated as things change, and I’ll try and keep things updated here as well.
UPDATE: Cloudflare talks about the scope of the attack

Read More

ROKSO lawsuit settled

Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted.  Let me try to sum up.

Read More

Whirlwind that is M3AAWG

It’s been a great conference, and it’s only about half done. As is common at these conferences, I write down lots of things we should do and need to publish. The difference is now that we are growing I may have the time to put the polish on them and get them published.
Today’s keynote discussed the economics of botnet mitigation. Michel van Eeten from Delft University of Technology presented information compiled from some different datasets about botnets.
Good news
Botnet infection rates are relatively stable. They’ve not spiraled out of control like some people were predicting.
Interesting news
More than 50% of bot infections are contained on 50 ISPs in the entire world.
Bad news
Centers set up specifically to fix botnet infections don’t really have a big impact on infection cure rate.
Good news
ISP actions and walled gardens do have an impact on infection cure rates.
The biggest take away from the session is that ISPs are critical in both protecting from infection and helping users cure infection once it happens.

Read More