What happened with the CBL false listings?

The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.

November 24, 2015 Widespread false positives
Earlier today, a very large scale Kelihos botnet event occured – by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn’t an unusual thing normally, the CBL/XBL has been successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.
The email was allegedly from the US Federal Reserve, saying something about restrictions in “U.S. Federal Wire and ACH online payments.” Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus, most likely Dyreza or Dridex malware.
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.
As per our policy, all entries of this type were purged (by about 19:05 UTC), and the detection heuristic removed.
If you were listed up to around 19:00 UTC, and the CBL lookup page appears to indicate that the IP is no longer listed, this is likely the explanation, and no further action is required on your part.

Out of curiosity I checked my own mailboxes. Since the first “Federal Reserve Spam” delivered at around 3:45 this morning, I’ve received 252 spams. 124 of those were the Kelihos bot spam. So it’s a good half of today’s spam volume. Yesterday’s total spam volume was around 328. A noticeable increase here.
 

Increase in CBL listings
Lets Encrypt Everything

Related Posts

ROKSO lawsuit settled

Earlier this year Ken Magill reported that a judge in the UK was allowing a libel case against Spamhaus to go forward. I thought for sure I’d blogged about the case at the time, but apparently I didn’t.
The short version is that today Spamhaus announced the lawsuit was settled and the complainants paid for Spamhaus’ legal fees.
As with most legal cases the details are complex and convoluted.  Let me try to sum up.

Read More

Another one bites the dust

NASK (the Polish domain registry) has taken over a number of domain names used in spreading viruses and infections.

Read More

Dealing with blocklists, deliverability and abuse people

There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.
bingo__email__save_1
A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.

Read More