[tor-bugs] #17855 [Flashproxy]: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite Blocking List)

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 14 23:57:28 UTC 2015 

#17855: flashproxy-reg-email detected as Kelihos botnet spam by the CBL (Composite
Blocking List)
------------------------+---------------------
 Reporter:  dcf         |          Owner:  dcf
     Type:  defect      |         Status:  new
 Priority:  Medium      |      Milestone:
Component:  Flashproxy  |        Version:
 Severity:  Normal      |     Resolution:
 Keywords:              |  Actual Points:
Parent ID:              |         Points:
  Sponsor:              |
------------------------+---------------------

Comment (by dcf):

 Incidentally, the false detections seem to have started shortly after an
 incident on 2015-11-24 when the CBL had many Kelihos false positives. The
 notice is now gone from their home page, but it is archived
 [https://wordtothewise.com/2015/11/what-happened-with-the-cbl-false-
 listings/ on a blog page]:
   November 24, 2015 Widespread false positives
   Earlier today, a very large scale Kelihos botnet event occured – by
 large scale, many email installations will be seeing in excess of 20%
 kelihos spam, and some will see their inbound email volume jump by a
 volume of as much as 500%. This isn’t an unusual thing normally, the
 CBL/XBL has been successfully dealing with large scale Kelihos spam spikes
 like this, often daily, for years.
   The email was allegedly from the US Federal Reserve, saying something
 about restrictions in “U.S. Federal Wire and ACH online payments.” Not
 only was the notice itself fraudulent, the attached Excel spreadsheet
 (.xls) contained macro instructions (a downloader) to download a Windows
 executable virus, most likely Dyreza or Dridex malware.
   The detection rules initially deployed by the CBL unfortunately were
 insufficiently detailed, and listed a number of IP addresses in error.
   As per our policy, all entries of this type were purged (by about 19:05
 UTC), and the detection heuristic removed.
   If you were listed up to around 19:00 UTC, and the CBL lookup page
 appears to indicate that the IP is no longer listed, this is likely the
 explanation, and no further action is required on your part.
 I unlisted my server after they adjusted the detection rules and it got
 relisted again, so whatever they changed did not fix this particular false
 positive.

 I found out this was happening because I run hourly flashproxy test
 scripts from a host that I also send email from. The flashproxy test
 scripts usually use flashproxy-reg-appspot, but when that fails (which is
 less than once a day), it falls back to flashproxy-reg-email. So unlisting
 would get the server unblocked until the next time flashproxy-reg-email
 ran.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17855#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list