Comments on: cutwail spamBOT

By: George

George — Fri, 20 Nov 2009 12:12:35 +0000

Hi Laura,

We seem to have gotten rid of the pest!

We blocked port 25 on all PCs except the mail server, and Trend AV, Malwarebytes and Windows Malicious Removal tool seem to have done the trick. I have also disabled all NDR’s and havent been blacklisted for over a week now!

Thanks,
George

By: Laura

Laura — Tue, 10 Nov 2009 02:18:55 +0000

George,

I don’t know if this will help you out or not, but we’re trying this site right now. Microsoft says it should catch and remove Cutwail. Hopefully it works and will be of some assistance.

http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt

By: Marcus

Marcus — Wed, 28 Oct 2009 11:15:33 +0000

Hi, thanks for this article.
Today we have been blocked by spamhaus cbl. The culprit is cutwail spambot.
Please forgive my question lol.
How do I block the port 25 for everything except the exchange server. Is this done on our cisco router?
Im using Cisco SDM to connect to the routers configuration.
Many thanks in advance for any help.

By: George

George — Fri, 23 Oct 2009 15:40:49 +0000

Thanks Trizz,

I managed to set up a rule on the sbs2008 server to block port 25 except for the mail server. I think it would be good to block it on the NETGEAR ProSafe VPN Wireless ADSL Gateway DGFV338 as we are using this router as the firewall, but not sure how you can make exceptions whilst creating the rules.

Where can I locate the Windows Malicious code remover, can I manually save it and then run from sbs2008 server? My security settings dont allow me to download.

Thanks,
George

By: trizzz

trizzz — Thu, 22 Oct 2009 16:25:08 +0000

The best thing to do is to block port 25 except for your mail server. Your PCs don’t need to access port 25, except for a spambot to send out mail. Doing this eliminates 95% of the problems that’s associated with spambots.

If you’re sure the spambot is gone, the blacklists will eventually automatically remove you from the lists. If you know which lists you’re on…you can go and manually petition each one to remove you now.

The problem with this, once you get removed and you HAVEN’T removed the issue, then they’ll put you back on the list and it’ll be harder to take yourself off of them.

The program that I found worked best to remove the cutWAIL spambot was actually the Windows Malicious Code remover. It’s a free download from Microsoft’s website…and it found the CutWail spambot and removed it easily.

Best of Luck, George!

By: George

George — Thu, 22 Oct 2009 16:10:56 +0000

Hi,

I am experiencing a similar issue, cant send out emails on our domain. I blocked the NDRs on exchange, but am using 2007 and I have ticked the box. Is there anything else I need to do?

Also, not sure about blocking port 25 and only allowing the mailserver and blackberry server through sbs2008 firewall.

We have 40 PCs on the network, and I have ran Trend AV, and malwarebytes on all pcs, yet am still getting blocked

Anyone have any ideas?

Thanks

By: CHUCKLZ

CHUCKLZ — Tue, 22 Sep 2009 15:46:20 +0000

I just looked for the computer with the background stating that “I AM AT RISK!” with binary background.

By: dan

dan — Thu, 23 Jul 2009 16:21:41 +0000

I had the cutwail trojan sending spam.
Our internet provider blocked outgoing email over smtp port 25 until resolved.
Our CA etrust pestpatrol didnt pick it up at first!
What worked for me was to add a firewall rule to block all outgoing smtp trafic on port 25 and have it log all connection attempts.
Viewed the logs(ruling out my email server/s ip to start) and the offending ip was obvious as the hits were 100′s per minute.
match the ip to a computer by checking DHCP allocations.
Scan the offending ip/PC with the latest MRT (Microsoft Malicious Software Removal Tool)and disconnect it from the network until clean.
Re enable SMPT traffic on the firewall after double checking the logs for other possible spaming.
Happy Hunting

By: Jensen Consulting Pte Ltd » Blog Archive » Corporate Enterprise – Why you need more IP’s

Wed, 22 Jul 2009 20:34:33 +0000

[...] experiencing a major IT Problem, one computer on the network have most likely been infected by a spamBOT – and are being blacklisted on the relevant spam [...]

By: Georg

Georg — Mon, 01 Jun 2009 06:49:42 +0000

We were blacklisted by CBL and others. The message on CBL was that we were infected by cutwail spamBOT.

After an intensive weekend spent with scanning pc’s and systems without success, we found out, that our exchange server was abused as spam server by sending non delivery reports (NDR) messages to faked senders.

Disabling NDR solved the problem.

Disable NDR:
From Exchange System Manager, Global Settings, Internet Message Format.
Double click on your right. Advanced tab. Uncheck Allow
non-delivery reports.

You must also activate the setting on the smtp connection protocol: Exchange Server, Protocols, Virtual Default Server => Properties by left click.
In the popup: General, Click on listed item, click on the button ‘modify’.
In the popup: Check “Absendungskennungsfilter verwenden” on the top right (Sorry, I’ve only an german Exchange, must be translated similar to ‘use sender identification filter’)