This spambot had attacked my company network, and it make my email server (exchange 2003) IP address get blacklisted. The effect of this spambot are outbound email from my company email server was blocked to send email outside my organization . It can be seen in the picture below, mostly queue connection in email server getting the retry status.
To check the ip address that getting the blacklisted, I’m using 2 website :
In this website, I found that my company ip addresses has been infected with cutwail spambot . And this website provide a step to find out where’s the culprit.
To solved this problem, I’m creating a new firewall rules in my trend micro office scan server. And this firewall will blocked :
- Port 25 to all client workstation
- And an Ip addresses that I found in cbl.abuseat.org. The ip address are 18.104.22.168
After 2 days waiting, finally the culprit are found. There are one computer that making connection continously to ip addresses 22.214.171.124. To cleanup this computer, the first thing I must do is disconnect the connection from this computer. After that, I deleted manually the spambot because my antivirus cannot detect it and make sure there is no more spambot in this computers.
To make sure the spam bot has gone, I checked the ip address reputation on the senderbase.org and thanks god it’s show that my ip reputation are good 😀