Am I a Spam Zombie?

ReallyCurious asks: "Recently, I've noticed a lot of junk email in my inbox reporting 'Mail delivery failure' or 'Undeliverable'. Some of these had documents attached, so I figured this was just a worm variant. But these messages keep coming. I worry that my machine has been turned into a 'Spam Zombie'. I don't see any suspicious processes running, but maybe it only runs for a few seconds, and at irregular times. I run a Windows 98 laptop, sometimes wirelessly connected to broadband (a few hours a day, on average), but I had to remove my virus software years ago because it was locking my system up, so I'm wide open. I've tried to be a good citizen and have been shopping for new virus software, but prices are running $40-$70, and most of these are just for upgrades (not even counting the mandatory 'subscriptions')! Is there an open or free virus fighting solution that's reliable and available for Windows? I'd be happy to run it ASAP."

Well...

[hookedup]

It may not be your system spewing out spam, but simply someone spoofing your domain.. happens to me every once in a while

You should be fine.

[FrenZon]

Most likely your email address is getting used as the return address and little more - the returned mail thing affects everyone to some degree. If you were being used as a spam zombie, you'd probably not notice any change in returned mails, as the zombies generally use someone else's address again as the return addy. I'm fairly sure the return addresses aren't always randomised, as on my domains I see a bucketload of spam all from the same email address, so whoever lives there must be getting a bucketful of bounces.

Still, you really should get an antivirus solution to ease your worries. I use AVG from Grisoft [grisoft.com], which is available in a free edition.

Of course, the bounces are plain annoying - when I get ACTUAL bounces from mail I send, I often delete them based on subject line, not realising that the person I was trying to contact is none the wiser. Booo

OMG

[cL0h]

You're running Windows 98 with no virus software. I'm surprised you can use the machine at all. I constantly get requests from people to clean up their Win98 machines. They are usually riddled with spyware, trojans and diallers. Don't bother with new antivirus. Get a new operating system.

maybe...

[johnjones]

ok if you run windows you need a virus checker

are you a home user ?
if so

http://free.grisoft.com/freeweb.php/doc/2/ [grisoft.com]

and get avg for free
Now you need a firewall

http://www.free-firewall.org/ [free-firewall.org]

then I would advice get rid of spyware with spybot
donate something to the project if you like it...

http://www.safer-networking.org/en/download/ [safer-networking.org]


regards

John Jones

maybe not.

[gl4ss]

but if you're running a win98 without firewalling/serious tweaking.. ..you're probably owned or at least at risk. though in all fairness they're probably some other spammers who just happen to use your mail add as the sender.

go with FREE solutions, they exist.

http://www.free-av.com/ free virus scanning [free-av.com]

http://www.free-firewall.org/ some free firewalling [free-firewall.org]

AVG AntiVirus

[Green Light]

Here is the link to their free version [grisoft.com] This works well, and is completely free for personal use.

AVAST

[chadkiser]

http://www.avast.com/eng/avast_4_home.html [avast.com] Home version is free

Re:Well...

[tooth]

Yeap, AVG [grisoft.com] does a good job. It's certainly better than nothing.

Also try the no cost version of Zone Alarm [zonelabs.com].

These are basic and no cost bits of software I run on my parents machines (and Firefox ;-) ... Though I'd love to buy them a mac one day :)

Yes

[noselasd]

antivir [free-av.com] seems to work ok,
and is updated afaik.
Spyware removal software [lavasoft.com] is obligatory on windwos as well.

Free virus software is out there.

[ScepticOne]

http://www.clamwin.net/ [clamwin.net] is an allegedly good antivirus program.

Also, http://www.spybot.info/ [spybot.info] has been alleged to be a good antispyware program.

Most likely a 'Joe-Job'...Ask your ISP about SPF

[rthille]

Since the SMTP protocol doesn't have any authentication of the sender (except within an ISP/Domain with SMTP-AUTH), it's easy for a spammer/virus to send mail pretending to be you. That's called a 'joe-job' after one of the early occurrences of it.
A recently proposed solution (though not without it's problems) is SPF (Sender Policy Framework) http://spf.pobox.com/ [pobox.com] where a domain owner can publish the list of servers which are authorized to send mail as being from a user of their domain.
Until it's widely deployed, not just on the publishing side, but on the checking side, it won't be real useful. However it's nearly trivial for the DNS owner to publish the records and since big ISPs like AOL and Yahoo are starting to check them it does protect you from being Joe-Jobbed to a large number of mailboxes.

Re:Well...

[Anonymous Coward]

As he said, the email address is inactive, but is displayed on the web. Spammers don't just look on the web for email address to spam, but also address to spoof spam from. The only connection he had with the spammer was an http connection for 1/2 a second.

Re:Well...

[Idealius]

The story submitter is worried about his machine, not someone elses and if he wants to be sure he has no spyware on his system he should use HijackThis by Merjin:

http://www.spywareinfo.com/~merijn/ (official site, down ATM)

http://www.tomcoyote.org/hjt/

Many popular anti-spyware forums accept posting a HijackThis log their HijackThis expert members can examine and advise you on. (e.g. The LavaSoft AdAware forums allow this but they require you post an AdAware log first :)

Anyway, HijackThis is fairly manual as far as you need to know what you're doing to use it properly. However, if spyware is on your system it will be in a HijackThis scan result as it shows your computer's startup programs/services (legitimate or otherwise) in all known places they exist on your computer.

Also, removing persistent spyware can get complicated using anything and this applies to HijackThis, too.

I suggest you use Process Explorer to aid you if you're ever in this situation:

http://www.sysinternals.com/ntw2k/freeware/proce xp .shtml

The common approach for persistent spyware is to have 3+ processes running on your system, one that actually performs the spyware function and the other two which monitor the spyware process and each other. With Process Explorer You can susped processes that monitor other dummy processes that all make sure you A. Don't remove their startup entries and B. Don't try and terminate the spyware's running processes. They don't monitor whether their buddies are suspended, though so you can just suspend all of them after you've identified them, end them all, then remove the HijackThis entries now that the spyware startup entries aren't protected anymore. :)

There's also the 'Find Handle' feature which can be useful as some old methods of startup can run processes so they are a subset of Explorer rather than a seperate process name in Task Manager > Processes tab. This is also a good way to find spyware DLL's.

Anyway, as a technician, that's what I would do. Learning HijackThis and Process Explorer allow you to tune up a computer like you would a car.

You are being irresponsible

[Bob Cat - NYMPHS]

You are doing nothing to stop your PC from being abused because you can't find free as in beer software?

Adaware SE Personal www.lavasoft.de
Zone Alarm Firewall www.zonelabs.com
F-Prot Antivirus www.f-prot.com

All commercial products free for personal use.

Now, install those and stop the spammers, please.
Keep your definitions updated, okay?

Re:Well...

[sheddd]

Instructions on how to do recipient filtering w/exchange:

Here [asp.net] and here [msexchange.org]

(btw filtering is off by default)

Not necessarily

[renehollan]

While running Win98 naked is about as wise as, well, running naked, this may not be the source of those bounce messages. IOW, by themselves they do not indicate that your box is a spam zombie.

I get boatloads of these things, as well as spam (filtering is your friend) -- my email address is fairly public and in a lot of address books. I'm not about to abandon it as it's within a domain I lease.

I run behind a fairly hardened firewall, and am moving towared a Linux iptables-based firewall/router/home server.

What ticks me off is when such a message bounce indicates that the original message contained a virus. How dare someone accuse me of sending a virus just because their mail daemon received a spoofed From: header? They could at least check the route the mail took against that header to get an idea if it's bogus. But, often automatic smam/virus filters are pretty stupid and trust the From: address. Still, I wonder if someone, somewhere, "out there" is blacklisting me because someone else forged my identity. Sounds like a defamation suit if I could find the bastards.

And that's the rub. Often when I've received such bounces, when the originator can be identified, they refuse to help in providing a copy of the original email, headers intact, that might permit tracking down the source: either a spammer, or a spam-zombie. I wonder if I could sucessfully file "theft of computer services" charges against such an organization: they're sending me unsolicited bounces, and furthermore, refusing to backup the allegation that they're bouncing messages from me. I wonder if the anti-spam legislation that's out there can be used as a club against those who send bounces to spoofed From: addresses and refuse to acknowledge or correct their mistake.

Heh

[itwerx]

If you're running Windows 98 with no antivirus and you're posting a question like this on Ask Slashdot, then yes, you are a spam zombie...

(Okay, mod me flamebait now, it was worth it! :)

Basic PC Meds. All free.

[slappyjack]

I've found the following helpful for the no-budget set:

Avast Home Edition Virus Scanner [avast.com]

Spybot Search and Destroy [safer-networking.org]

HijackTHIS - Find out whats in your PC. (semi-advanced)
The site for HiJackThis [spywareinfo.com] seems to be down for now. THere are a few other little nifty freebie aps in there, too. Heres a mirror download site [spychecker.com]

AdAware [lavasoftusa.com] - picks up a lot of crap in your PC

(Anyone wanna offer up a few opinions on this stuff? You know you do.)

Of course, the obligatory comment of "Use Mozilla, keep your shit patched, don't click every OK button you see" still applies.

dshield

[j1m+5n0w]

It's also a good idea to look you ip up [dshield.org] on dshield [dshield.org]. They aggregate firewall logs from many sources. If your IP is causing someone trouble, it is likely to show up there. Another similar service is mynetwatchman [mynetwatchman.com].

-jim