What happened with the CBL false listings?

The CBL issued a statement and explanation for the false positives. Copying it here because there doesn’t seem to be a way to link directly to the statement on the CBL front page.

November 24, 2015 Widespread false positives
Earlier today, a very large scale Kelihos botnet event occured – by large scale, many email installations will be seeing in excess of 20% kelihos spam, and some will see their inbound email volume jump by a volume of as much as 500%. This isn’t an unusual thing normally, the CBL/XBL has been successfully dealing with large scale Kelihos spam spikes like this, often daily, for years.
The email was allegedly from the US Federal Reserve, saying something about restrictions in “U.S. Federal Wire and ACH online payments.” Not only was the notice itself fraudulent, the attached Excel spreadsheet (.xls) contained macro instructions (a downloader) to download a Windows executable virus, most likely Dyreza or Dridex malware.
The detection rules initially deployed by the CBL unfortunately were insufficiently detailed, and listed a number of IP addresses in error.
As per our policy, all entries of this type were purged (by about 19:05 UTC), and the detection heuristic removed.
If you were listed up to around 19:00 UTC, and the CBL lookup page appears to indicate that the IP is no longer listed, this is likely the explanation, and no further action is required on your part.

Out of curiosity I checked my own mailboxes. Since the first “Federal Reserve Spam” delivered at around 3:45 this morning, I’ve received 252 spams. 124 of those were the Kelihos bot spam. So it’s a good half of today’s spam volume. Yesterday’s total spam volume was around 328. A noticeable increase here.
 

Related Posts

Increase in CBL listings

Update: As of Nov 24, 2015 11:18 Pacific, Spamhaus has rebuilt the zone and removed the broken entries. Expect the new data to propagate in 10 – 15 minutes. Delivery should be back to normal.
The CBL issued a statement, which I reposted for readers that find this post in the future. I think it’s important to remember there is a lot of malicious traffic out there and that malicious traffic affects all of us, even if we never see it.
Original Post from 10am pacific on Nov 24
cbl-logo-2012
Mid-morning west coast time, I started seeing an uptick in reports from many ESPs and marketers that they were getting listed on the XBL/CBL. Listings mentioned the kelihos spambot.

Read More

CBL website and email back on line

The CBL website is back on line.
It’s possible that your local DNS resolver has old values for it cached. If so, and if you can’t flush your local DNS cache, and you really can’t wait until DNS has been updated then you may be able to put a temporary entry in your hosts file to point to cbl.abuseat.org.
You can get the IP address you need to add by querying the nameserver at ns-2038.awsdns-62.co.uk for cbl.abuseat.org. No, I’m not going to tell you the IP address – if you can’t do a basic DNS query, you shouldn’t be modifying your hosts file and you can just wait a day.

Read More

Whirlwind that is M3AAWG

It’s been a great conference, and it’s only about half done. As is common at these conferences, I write down lots of things we should do and need to publish. The difference is now that we are growing I may have the time to put the polish on them and get them published.
Today’s keynote discussed the economics of botnet mitigation. Michel van Eeten from Delft University of Technology presented information compiled from some different datasets about botnets.
Good news
Botnet infection rates are relatively stable. They’ve not spiraled out of control like some people were predicting.
Interesting news
More than 50% of bot infections are contained on 50 ISPs in the entire world.
Bad news
Centers set up specifically to fix botnet infections don’t really have a big impact on infection cure rate.
Good news
ISP actions and walled gardens do have an impact on infection cure rates.
The biggest take away from the session is that ISPs are critical in both protecting from infection and helping users cure infection once it happens.

Read More