[tor-bugs] #17855 [Flashproxy]: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite Blocking List)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 14 23:42:44 UTC 2015 

#17855: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite
Blocking List)
----------------------------+-----------------
     Reporter:  dcf         |      Owner:  dcf
         Type:  defect      |     Status:  new
     Priority:  Medium      |  Milestone:
    Component:  Flashproxy  |    Version:
     Severity:  Normal      |   Keywords:
Actual Points:              |  Parent ID:
       Points:              |    Sponsor:
----------------------------+-----------------
 Since about 2015-12-01, the email that flashproxy-reg-email sends triggers
 a false-positive detection in the [http://www.abuseat.org/ CBL (Composite
 Blocking List)] which causes other email sent from the same IP address to
 be rejected by some recipients (including riseup.net). Shortly after
 flashproxy-reg-email running, the [http://www.abuseat.org/lookup.cgi
 lookup page] says something along the lines of:
   IP Address x.x.x.x is listed in the CBL. It shows signs of being
 infected with a spam sending trojan, malicious link or some other form of
 botnet.
   It was last detected at 2015-12-07 03:00 GMT (+/- 30 minutes),
 approximately 3 hours, 30 minutes ago.
   This IP is infected (or NATting for a computer that is infected) with
 the kelihos spambot. In other words, it's participating in a botnet.
 Everything about Kelihos and botnets is false; through experiments and
 interaction with a CBL operator we isolated the cause to flashproxy-reg-
 email's messages.

 An example of a bounce message caused by this error is:
   SMTP error from remote mail server after RCPT TO:<... at riseup.net>:
   host mx1.riseup.net [198.252.153.129]: 550 5.7.1 Service unavailable;
 client [x.x.x.x] blocked using zen.spamhaus.org

 We should do something to avoid these false detections if possible.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17855>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list