Tuesday, May 13, 2008

I, Spammer

OK, so everything I said in my last post (Fight SPAM with reCaptcha) is true. It's just not applicable to my present situation. Here is the latest on my SPAM epic.

We get very little SPAM in our accounts here at MPL. So we really noticed it when it started coming in during the middle of April. Like I said, we have three layers of protection, so I didn't think it was our mail server. I ran some anti-virus and anti-spyware scans on the mail server and some of the affected PCs, which indicated nothing to worry about. It would go away soon.

Well, it hasn't gone away and it's getting old so I felt I needed to look into it a little more. The final kick in the butt for me was when my ISP called last week to say that they are seeing somewhat elevated port 25 traffic coming from our site. That is mail traffic. It was confirmation that we are the problem. We had become a spammer.

Since all our traffic comes out from behind a single public IP address, the ISP could only say it was coming from the library, but not where inside the library. That's my job. Suspecting that someone has infected their PC by doing something inappropriate, I block outgoing email from everything except the mail server. Still SPAM goes out. So I know the problem is with the server itself.

Finally, yesterday I decide to run another virus scan. Bingo! It turns up something called "Troj_Dloader.amt. The scanner removed the trojan and I haven't seen any "undeliverable" messages since. The Anti-virus vendor, Trend Micro, first identified this trojan on May 6. It had a solution to remove it on May 8. I ran a manual scan on the mail server on May 13 which found it.

There are a few interesting points here.

  • I don't yet know how this server got infected, but I work pretty hard to make my servers resistant to this sort of thing. If I find out, I'll let you know.

  • My AV program is always running on my server. I would have thought it should have recognized the infection, even though the infection was there first, once it downloaded the signature file that recognized the problem. But it didn't. It didn't catch it until I ran a manual scan.

  • We have been infected for about a month now. Yet the SPAM volume was never so high as to cause my ISP to shut me down, or the mail server to slow down substantially, or to make humans so annoyed that I had to immediately find and fix the problem to keep them from cutting my throat. The bad guys are now less concerned about making a big splash by rendering unusable thousands of PCs and more about making money. So the parasites are smart enough to keep the host alive and functioning. They are trying to stay under the radar.
  • That said, I wonder how many of you are spammers too. The trojan I had doesn't necessarily require an existing in-house mail server to work, so you could have just one PC and still be sending someone's SPAM out. How can you tell for sure? That's a good question. For many of us we only find out when the PC doesn't work anymore or the ISP shuts us down.

If you are interested in knowing a few tricks to help determine whether you are a spammer or not, drop me a line saying so and I'll show some ideas in a future post.

No comments: