False positive rate of CBL

Question

We've come into the office (30+ networked systems) this morning to find that our email server is blacklisted on the CBL for:

This IP address is infected with, or is NATting for a machine infected with the ZeroAccess botnet, also known as Sirefef. More information can be found from Wikipedia. It is most often used for bitcoin mining or click fraud, but as it contains a downloader portion, it can do anything.

The other developer and I tend to believe what organizations such as Spamhaus say and believe we have a virus somewhere. Our network administrators are leaning more towards it being our web server (AWS) which sends out receipts to customers through our in-house email server. The mail server acts as a relay but only allows connections internally or from the IP of our webserver.

What kind of rate do lists such as the CBL have for false positives, is an infection alert something which could be picked up by something which is very much a very generic receipt?

Answer 1

I often handle support cases because of CBL listings. I have never seen a false positive. If the CBL thinks something behind your IP is infected they're most probably right.

Remember that a CBL listing insn't necessarily caused by spam sent over your mailserver. Any type of bot connection using different protocols / ports from an infected laptop to a CBL host can trigger a listing. Therefore it is recommended to use a dedicated IP for your mailserver.

Carefully read the full explanation page on the CBL, they usually give some information on what to look for in your firewall logs. etc.