Thursday, June 12, 2008

Are You A Spammer?

A number of folks had indicated they would appreciate a tip or two to help them determine whether they spam or not. So here I go.

Caveat 1: There is no button you can click that will tell you yes or no about this. What I will describe here will be a series of techniques to help you get clues to answer this question.

Historical preface: During my past 5 years as an MPL employee, I have had to deal with two infections. Both were during the past year. I think this means the bad guys are winning. It could be that I’m just getting more stupid. Folks here suggest as much occasionally.

One infection was only on a single user notebook. The user was looking at their email, knew they should not click on a link presented in an unsolicited email, but they did anyway. A Trojan was downloaded and that user’s notebook became a zombie, which is a PC that does what some remote site tells it to do. It was told to spam. It did and that user’s mailbox was full of “Undeliverable” messages.

The other infection was on my mail server which I have recently described in previous posts. That issue seems to be resolved but it did get worse before it got better.

For both of these issues, the antivirus software initially failed to discern the infection. These were both popular vendors, Symantec on one and Trend Micro on the other. Both were installed so that they were running in the background whenever the PC or server was on. Both had the latest signature files. Both initially failed to catch the infection when a manual scan was run. Do you wonder why you spend so much on antivirus software? I do.

In the first case, I used a nifty product called Autoruns (http://www.sysinternals.com/) to find the offending executable. I then googled the name of the file and found out that, at that point, only one AV company (Pharos) had identified a signature for the Trojan. I then downloaded a trial of their AV software and the Trojan was found and removed.

I have already described what I went through with my mail server but the bottom line is that I probably had the infection for at least a couple weeks before my AV vendor provided a signature file that identified it. So finally a manual scan did turn up an infection.

In both these cases the first symptom was that a users’ mailbox was filling up with garbage. See example below. I can’t tell you how much I wanted to open up the Mexican Wrestling Squirrels message. Alas, it remains a mystery.


Hundreds of these messages would arrive in a short period of time. So it wasn’t hard to think that we had a problem. It was more like a slap in the face.

So technique # 1: If you get a lot of messages with “Undeliverable” in the subject line, you may be a spammer. This will not be hard to discern. It may be hard to clean up the mess though.

#2 Ask your ISP. One of the indicators I had was a friendly call from my ISP saying they had noticed somewhat elevated outgoing traffic on port 25, which means sending a lot of mail out. Your ISP may be so small that they don’t watch things so closely or so large that they don’t care to bother with you.

#3 Check to see if you have gotten yourself on a spammer blocklist. First go to http://www.whatismyip.com/ to see what your outside IP address is. Then go to cbl.abuseat.org and use the IP address lookup to see if you are listed Composite Block List or CBL. Some email vendors filter incoming email traffic based on a block list like this.

#4 Make sure your antivirus program and antispyware programs have the latest signatures and run full scans. When the response comes back clean, still be suspicious.

#5 Run the Autoruns utility mentioned above. This is a great tool but I think a person needs quite a bit of experience at working with Windows under the hood to be able to use it effectively.

That’s all. Excuse my droning. I will make the next post short and possibly sweet.

No comments: