Two different servers involved. One was cleared and did not re-appear, now we have another server on their list. What makes me believe these are false positives? Because in the detail that descreibes the reson for hte listing, they give a source port number which has never been opened in our firewall. Both listings describe this kind of thing: --------- IP Address ######## is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet. It was last detected at 2014-09-26 17:00 GMT (+/- 30 minutes), approximately 6 hours, 30 minutes ago. This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms. THEN FURTHER DOWN THE PAGE: The report for your IP indicates connections from/to TCP/IP IP address n/a (the sinkhole server address) with a destination port 80, source port (for this detection) of 51578 at exactly 2014-09-26 17:28:24 (UTC). All of our detection systems use NTP for time synchronization, so the timestamp should be accurate within one second. ---------------------------- Thus, "source port (for this detection) of 51578" has never been opened, so we have a false positive, right? And by the way, I have confirmed that our firewall is effectively closing this port with this tester: telnet portquiz.net 51578 Could I be missing something with this?