Cutwail spambot

This spambot  had attacked my company network, and it make my email server (exchange 2003) IP address get blacklisted. The effect of this spambot are outbound email from my company email server was blocked to send email outside my organization . It can be seen in the picture below, mostly queue connection in email server getting the retry status.

exchange email queue

To check the ip address that getting the blacklisted, I’m using 2 website :

  1. http://www.senderbase.org/
  2. http://cbl.abuseat.org/lookup.cgi

In this website, I found that my company ip addresses has been infected with cutwail spambot . And this website provide a step to find out where’s the culprit.

To solved this problem,  I’m creating a new firewall rules in my trend micro office scan server. And this firewall will blocked :

  • Port 25 to all client workstation
  • And an Ip addresses that I found in cbl.abuseat.org. The ip address are 87.255.51.229

After 2 days waiting, finally the culprit are found. There are one computer that making connection continously  to ip addresses 87.255.51.229. To cleanup this computer,  the first thing I must do is disconnect the connection from this computer. After that, I deleted manually the spambot because my antivirus cannot detect it and make sure there is no more spambot in this computers.

To make sure the spam bot has gone, I checked the ip address reputation on the senderbase.org and thanks god it’s show that my ip reputation are good😀

good IP reputation

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s