New? behavior og rbl's

Tracy Greggs mailscanner-list at
Thu Sep 22 16:52:27 IST 2011

I have the same issue.  Seems like total BS to me when I am doing port
blocking for SMTP port 25 at the router.

I blocked all outbound traffic to the trap address and logged it ,  removed
the client from the CBL blacklist (which is a trigger for Spamhaus XBL),
logged it and quickly found the infected machine.

But again, total BS to blacklist the SMTP traffic over Gbot.

Tracy Greggs
Oklahoma Network Consulting

-----Original Message-----
From: mailscanner-bounces at
[mailto:mailscanner-bounces at] On Behalf Of Jonas
Sent: Thursday, September 22, 2011 9:40 AM
To: mailscanner at
Subject: New? behavior og rbl's

Hmm ok maybe I was a sleep the past year or so but when did the below become
normal policy???

Basically the conclusion is if you have a pc infected with a virus that's
not email related and or at least is unable to send out spam because of
firewall blocks or similar, you are still blocked in a spamfilter for having
the same WAN ip?

Not only have I not seen this before but it seems like a huge jump in what a
normal SMTP RBL list is supposed to do...

Anybody else have any thought on the matter?

Med venlig hilsen / Best regards
Jonas Akrouh Larsen
TechBiz ApS
Laplandsgade 4, 2. sal
2300 København S
Office: 7020 0979
Direct: 3336 9974
Mobile: 5120 1096
Fax:    7020 0978

IP Address X.X.X.X is not listed in the CBL.

It was previously listed, but was removed at 2011-09-22 13:24 GMT (21
minutes ago)

At the time of removal, this was the explanation for this listing:
This IP is infected with, or is NATting for a machine infected with Gbot.
There are many different versions of Gbot, and it's known under several
different names, see: Win32/Cycbot (Microsoft) or perhaps more specifically:
Troj/Gbot-C (Sophos). 

The rest of the Anti-virus industry refers to it as Cycbot or Gbot. 

This was detected by observing this IP attempting to make contact to a Gbot
Command and Control server, with contents unique to Gbot C&C command

Amongst other things, Gbot/Cycbot sets up a web proxy on the infected
machine, such that the user's normal browser is subverted to go through this
proxy. The proxy then can sniff all traffic from the user (including bank
account information and so on), and forward it off elsewhere. It also
downloads a "fake-AV" (scareware) component. 

Many of these infections drop the following three malicious files: 

C:\Program Files\Internet Explorer\stor.cfg C:\Program Files\Windows
NT\dwm.exe C:\Program Files\Windows NT\shell.exe

Other versions drop files that can be found by searching for files with a
".exe" suffix in the user's Application Data directory. For example,
"C:\\Documents and Settings\\[username]\\Application Data\\dwm.exe". 

To find these infections, search for TCP/IP connections going to IP address, usually destination port 80 or 443, but you should look for
all ports. This detection corresponds to a connection at 2011-09-21 06:50:27
(GMT - this timestamp is believed accurate to within one second). 

These infections are rated as a "severe threat" by Microsoft. It is a trojan
downloader, and can download and execute ANY software on the infected

You will need to find and eradicate the infection before delisting the IP

We strongly recommend that you DO NOT simply firewall off connections to the
sinkhole IP addresses given above. Those IP addresses are of sinkholes
operated by malware researchers. In other words, it's a "sensor" (only) run
by "the good guys". The bot "thinks" its a command and control server run by
the spambot operators but it isn't. It DOES NOT actually download anything,
and is not a threat. If you firewall it, your IPs will remain infected, and
they will still be able to download from real command & control servers run
by the bot operators. 

If you do choose to firewall these IPs, PLEASE instrument your firewall to
tell you which internal machine is connecting to them so that you can
identify the infected machine yourself and fix it. 

We are enhancing the instructions on how to find these infections, and more
information will be given here as it becomes available. 

Virtually all detections made by the CBL are of infections that do NOT leave
any "tracks" for you to find in your mail server logs. This is even more
important for the viruses described here - these detections are made on
network-level detections of malicious behaviour and may NOT involve
malicious email being sent. 

This means: if you have port 25 blocking enabled, do not take this as
indication that your port 25 blocking isn't working. 

The links above may help you find this infection. You can also consult
Advanced Techniques for other options and alternatives. NOTE: the Advanced
Techniques link focuses on finding port 25(SMTP) traffic. With "sinkhole
malware" detections such as this listing, we aren't detecting port 25
traffic, we're detecting traffic on other ports. Therefore, when reading
Advanced Techniques, you will need to consider all ports, not just SMTP. 

Pay very close attention: Most of these trojans have extremely poor
detection rates in current Anti-Virus software. For example, Ponmocup is
only detected by 3 out of 49 AV tools queried at Virus Total. 

Thus: having your anti-virus software doesn't find anything doesn't prove
that you're not infected. 

While we regret having to say this, downloaders will generally download many
different malicious payloads. Even if an Anti-Virus product finds and
removes the direct threat, they will not have detected or removed the other
malicious payloads. For that reason, we recommend recloning the machine -
meaning: reformatting the disks on the infected machine, and re-installing
all software from known-good sources. 

MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website!

This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list