Translate

12/04/2013

Category MALICIOUS IP: 185.5.99.21 - Dictionaryattacker - Unknown0556 Spambot - Poland

The IP Address 185.5.99.21 (IP LOCATION: Poland) is listed in the CBL (Composite Blocking List). It appears to be infected with a spam sending trojan, proxy and/or some other form of botnet. It was last detected on the 4th of November 2013. It has been relisted following a previous removal on 12th November. This IP is infected (or NATting for a computer that is infected) with a spambot that has not yet been identified. For the time being it is refered as the Unknown0556 Spambot.


IP 185.5.99.21 is participating in a botnet. CBL states: If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

Dictionary Attacks: 5.741 Emails sent from this IP.
Email Reputation: Poor
Spam Level: Very High

Reputation of IP 185.5.99.21 @:



OTHER INFORMATION:
AS198414
Biznes-Host.pl sp. z o.o.
Google Safebrowsing Report on ASN

New Additional Info on this IP

The latest CBL report states:

It was last detected at 2013-12-08 03:00 GMT (+/- 30 minutes), approximately 3 hours, 30 minutes ago. 
The listing of this IP is because it HELLOs as (IP) 17.158.8.111. Not only is this a violation of RFC2821/5321 section 4.1.1.1, it's even more frequently a sign of infection. (RFC 2821, section 4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)
These listings are often a sign of a compromised SSH account. If you are running a SSH service (especially on Linux), please check your ssh server logs (often /var/log/auth.log) for logins from this IP. If you find any, secure the associated account. This usually means changing the password or disabling the account. 
If it's a mail server, see naming problems for details on how to diagnose and fix the problem. 
If IP address 17.158.8.111 is or is NATing for a Symantec Protection Center instance, this appears to be a known issue. See this Knowlege Base item. We are attempting to work through this issue with them. Their KB item was updated October 18, 2010 to indicate that they now understand the issue. 
The KB item indicates that the problem will be resolved in a "future build", but no ETA is provided. If you have SPC's email notification feature turned on, we recommend turning it off before delisting your IP address as a temporary workaround. 
This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

Keine Kommentare:

Kommentar veröffentlichen