From: mailsecurity@gmxnet.deSubject: C427895983 Re: [bl] Please unblock!Date: Thu, March 13, 2014 9:00 amTo: acaba@astrac.rdsar.ro

Dear Mr Caba,

Your mail server is listed in Spamhaus XBL/CBL:

http://cbl.abuseat.org/lookup.cgi?ip=86.125.217.41

-----IP Address 86.125.217.41 is listed in the CBL. It appears to be infected with a spamsending trojan, proxy or some other form of botnet.

It was last detected at 2014-03-12 10:00 GMT (+/- 30 minutes), approximately 21hours ago.

This IP address is infected with, or is NATting for a machine infected with the ZeuStrojan, also known as "Zbot" and "WSNPoem".

ZeuS is a malicious software (malware) used by cybercriminals to commit ebankingfraud and steal sensitive personal data, such as credentials (username, password)for online services (email, webmail, etc.).

The infection was detected by observing this IP address attempting to make contactto a ZeuS Command and Control server (C&C), a central server used by the criminalsto control with ZeuS infected computers (bots).

More information about the ZeuS Trojan can be found here:

Microsoft Malware Protection Center: Win32/Zbot Symantec: Trojan.Zbot McAfee Labs Threat Advisory: PWS-Zbot

You can try Kaspersky's Zbot killer to get this infection detected/removed. However,we strongly recommend you to do completely re-install your operation system to getthis infection removed permanently.

This was detected by a TCP/IP connection from 86.125.217.41 on port 51743 going toIP address 82.165.37.26 (the sinkhole) on port 443.

The botnet command and control domain for this connection was"d65g.dw7g3.fefg934.info".

Behind a NAT, you should be able to find the infected machine by looking forattempted connections to IP address 82.165.37.26 or host named65g.dw7g3.fefg934.info on any port with a network sniffer such as wireshark.Equivalently, you can examine your DNS server or proxy server logs to references to82.165.37.26 or d65g.dw7g3.fefg934.info. See Advanced Techniques for more detail onhow to use wireshark - ignore the references to port 25/SMTP traffic - theidentifying activity is NOT on port 25.

This detection corresponds to a connection at 2014-03-12 10:08:08 (GMT - thistimestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojandownloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

Norton Power Eraser is a free tool and doesn't require installation. It just needsto be downloaded and run. One of our team has tested the tool with Zeus, Ice-X,Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system ineach case. It probably works with many other infections.

We strongly recommend that you DO NOT simply firewall off connections to thesinkhole IP addresses given above. Those IP addresses are of sinkholes operated bymalware researchers. In other words, it's a "sensor" (only) run by "the good guys".The bot "thinks" its a command and control server run by the spambot operators butit isn't. It DOES NOT actually download anything, and is not a threat. If youfirewall the sinkhole addresses, your IPs will remain infected, and they will STILLbe delivering your users/customers personal information, including bankinginformation to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell youwhich internal machine is connecting to them so that you can identify the infectedmachine yourself and fix it.

We are enhancing the instructions on how to find these infections, and moreinformation will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any"tracks" for you to find in your mail server logs. This is even more important forthe viruses described here - these detections are made on network-level detectionsof malicious behaviour and may NOT involve malicious email being sent.

This means: if you have port 25 blocking enabled, do not take this as indicationthat your port 25 blocking isn't working.

The links above may help you find this infection. You can also consult AdvancedTechniques for other options and alternatives. NOTE: the Advanced Techniques linkfocuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such asthis listing, we aren't detecting port 25 traffic, we're detecting traffic on otherports. Therefore, when reading Advanced Techniques, you will need to consider allports, not just SMTP.

Pay very close attention: Most of these trojans have extremely poor detection ratesin current Anti-Virus software. For example, Ponmocup is only detected by 3 out of49 AV tools queried at Virus Total.

Thus: having your anti-virus software doesn't find anything doesn't prove thatyou're not infected.

While we regret having to say this, downloaders will generally download manydifferent malicious payloads. Even if an Anti-Virus product finds and removes thedirect threat, they will not have detected or removed the other malicious payloads.For that reason, we recommend recloning the machine - meaning: reformatting thedisks on the infected machine, and re-installing all software from known-goodsources.WARNING: If you continually delist 86.125.217.41 without fixing the problem, the CBLwill eventually stop allowing the delisting of 86.125.217.41. -----

Kind regards,

Mit freundlichen Grüßen

Konrad Meier

GMX MailSecurity

http://gmxnet.de/de/impressum

> > Mail to: mailsecurity@gmxnet.de> Email address: acaba@astrac.rdsar.ro> Alternate address: all4jesus@gmail.com> Subject: Please unblock!> Your name: Eng. Andrei Caba> Your company/provider: our own email server (astrac.rdsar.ro)> Your IP address: * 86.125.217.41 *> Your message: host mx00.gmx.net[213.165.67.99] refused to talk to me: 554-gmx.net(mxgmx003) Nemesis ESMTP Service not available 554-No SMTP service 554-IP addressis black listed. 554 For explanation visithttp://postmaster.gmx.com/en/error-messages?ip=86.125.217.41&c=bl> >