Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IP address listed on CBL ?


  • Please log in to reply
No replies to this topic

#1 Tester1

Tester1

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 27 January 2017 - 03:55 PM

Hi ;

 

I have experienced something very strange today, an email I had sent to a computer was returned to me with the mention "undelivered mail returned to sender". (I removed the IP adresses because I don't know if posting them on a public forum is secure or not.

 

I got following message : Client host [XXXXXXXXXX] blocked using zen.spamhaus.org;

    https://www.spamhaus.org/query/ip/XXXXXXXX (in reply to RCPT TO
    command)

It is with great regret that we have implemented a Captcha on this page. After 11 years the number of automated/abusive queries have grown so high it's now necessary. Only manual use of this lookup page is permitted. All automated/scripted queries are prohibited, and may result in listing of the source IP address.

IP address: XXXXXXXXXXXXX    

IP Address XXXXXXXXX is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2017-01-26 23:00 GMT (+/- 30 minutes), approximately 21 hours, 30 minutes ago.

This IP is infected (or NATting for a computer that is infected) with a spam-sending botnet, most likely Necurs. Necurs generally sends large volumes of Dyre/Dridex/Locky malware, fake pharmaeutical or pornography/dating scams.

At present, the vast majority is "Locky" malware. "Locky" is "ransomware" - encrypts the victim's files and demands payment to decrypt them.

If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again. Meanwhile, you run the risk of locky encrypting the user's computer resulting in either loss of all their data, or a high extortion payment.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

 

Now I have run Karspersky, and double-checked my IP on Karspersky https://blog.kaspersky.com/simda-botnet-check/8304/

and it says I have no infection.  Also, THE IP ADRESS RETURNED TO ME BY KARSPESKY IS DIFFERENT FROM THE ONE THAT WAS LISTED. Is it because my internet provider changess IP adresses at each new connection ?

 

I don't know where the problem might come from ? I have sent other emails in the day, and have had no problem. How can I know for sure that I'm not infected ?



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users