Am I a Spam Zombie? 160
ReallyCurious asks: "Recently, I've noticed a lot of junk email in my inbox reporting 'Mail delivery failure' or 'Undeliverable'. Some of these had documents attached, so I figured this was just a worm variant. But these messages keep coming. I worry that my machine has been turned into a 'Spam Zombie'. I don't see any suspicious processes running, but maybe it only runs for a few seconds, and at irregular times. I run a Windows 98 laptop, sometimes wirelessly connected to broadband (a few hours a day, on average), but I had to remove my virus software years ago because it was locking my system up, so I'm wide open. I've tried to be a good citizen and have been shopping for new virus software, but prices are running $40-$70, and most of these are just for upgrades (not even counting the mandatory 'subscriptions')! Is there an open or free virus fighting solution that's reliable and available for Windows? I'd be happy to run it ASAP."
Well... (Score:5, Informative)
Re:Well... (Score:2)
Re:Well... (Score:3, Informative)
Also try the no cost version of Zone Alarm [zonelabs.com].
These are basic and no cost bits of software I run on my parents machines (and Firefox ;-) ... Though I'd love to buy them a mac one day :)
Re:Well... (Score:2)
Re:Well... (Score:4, Insightful)
Unfortunately, older versions of Exchange are stupid in this respect, and accept pretty much anything. I believe you even have to specifically configure the newer versions of exchange too to behave correctly (someone correct me if I'm wrong here... I no longer use exchange, just read about how 2003 works...)
IMHO, if you are running an older version of exchange without a good Unix relay in front of it that can do all this validation and scanning for you, you are a big part of the problem.
qmail as well (Score:2)
("Frequently"? They always forge the sender. Anyhow...)
I really like qmail, but it does make the braindead design of accepting mail, then processing it. (For reasons of efficiency or something; it's supposed to be a feature.)
The folks at LinuxMagic make a replacement [linuxmagic.com] that's a bitch to get working, but does all kinds of checking during the SMTP transaction, like valid user checking, virus scanning, etc. You're supposed to be able to plug in arbitrary checkers, but I never got around to trying. The
Re:qmail as well (Score:2)
Check it out.
Re:qmail as well (Score:2)
Re:Well... (Score:4, Informative)
Here [asp.net] and here [msexchange.org]
(btw filtering is off by default)
Re:Well... (Score:2)
Re:Well... (Score:2)
Re:Well... (Score:2)
Most probably some virus/worm somewhere.
I just got a bounce message today where I allegedly sent a message to someone that bounced. Strange thing it was sent from a dormant e-mail of mine which is not configured anywhere in any of my local programs and only an old 'official' contact on the web. (A mail alias on my domain...)
So I would not worry.
I'm running this XP box, with SP 4 (Using Kerio Personal Firewall 2.1.5 instead of windows's one) as
Re:Well... (Score:2)
I would give it a second thought, it is likley someone you have had an email corispondence with and can therfore warn.
The best bet is to find out what virus it is (scan the email). And tracert the originating IP address. this should give you the ISP and maybe a state. Look up the virus to find the file names it creates and tell your family/friends that match the ISP/location to search for the file.
Most Virii can be removed
Re:Well... (Score:2, Informative)
Re:Well... (Score:2)
Are you from the future?
Re:Well... (Score:2)
Re:Well... (Score:3, Informative)
http://www.spywareinfo.com/~merijn/ (official site, down ATM)
http://www.tomcoyote.org/hjt/
Many popular anti-spyware forums accept posting a HijackThis log their HijackThis expert members can examine and advise you on. (e.g. The LavaSoft AdAware forums allow this but they require you post an AdAware log first
Anyway, HijackThis is fairly manua
Re:Please learn how to make links. (Score:2)
I also know how to create relatively grammar-error free posts, as well. (ONE friggin error (-_-)
I want to call you an idiot because obviously I know what I'm doing as can be seen from my previous post -- (e.g. it should be obvious I left amenities out because I was in a bind for time or something similar -- not because I don't know how..)
Please be happy you have the information and try not to criticize too much. It's not like I post onto slashdot for a living or something..
Re:Please learn how to make links. (Score:2)
Re:Well... (Score:2)
Re:Well... (Score:2)
Sure one could get polymorphic virii, and do all sorta funny stuff. But mostly their memory footprint (or key parts thereof) remain the same or similar to existing virii and spyware. Good Virii and spyware detection software can detect derivatives even before they were programmed to.
But this is irrelevant, as it's a network issue.
Re:Well... (Score:2)
Re:Well... (Score:2)
Not necessarily (Score:2)
No (Score:4, Insightful)
how do I check for trojans? (Score:2)
cheers
Re:how do I check for trojans? (Score:2)
Why? (Score:3, Insightful)
eh (Score:2, Insightful)
If you're a bit more techie you can use winpcap or similar to capture the traffic.
There's no excuse to be wide open. You'll soon do something about it when your ISP wakes up to the problem and cuts you off. I appreciate how people can get caught inadvertantly by malware (I was hosting a trojan for a few hours last week inbetween upgrades) but I don't appreciate you leaving it th
You're not infected (Score:2, Interesting)
You should be fine. (Score:5, Informative)
Most likely your email address is getting used as the return address and little more - the returned mail thing affects everyone to some degree. If you were being used as a spam zombie, you'd probably not notice any change in returned mails, as the zombies generally use someone else's address again as the return addy. I'm fairly sure the return addresses aren't always randomised, as on my domains I see a bucketload of spam all from the same email address, so whoever lives there must be getting a bucketful of bounces.
Still, you really should get an antivirus solution to ease your worries. I use AVG from Grisoft [grisoft.com], which is available in a free edition.
Of course, the bounces are plain annoying - when I get ACTUAL bounces from mail I send, I often delete them based on subject line, not realising that the person I was trying to contact is none the wiser. Booo
Re:You should be fine. (Score:2)
But I'm scared of my more technically naive mother getting zapped this
Early retirement (Score:2)
you just published your address on SlashDot as a mailto link.
Jouni
Re:Early retirement (Score:3, Insightful)
ultimate firewall (Score:3, Funny)
Try Zonealarm [zonelabs.com]?
Re:ultimate firewall (Score:2)
The poster is "wirelessly connected", you dolt! ;-)
That's more like it. Or better yet, Kerio Personal Firewall [kerio.com].
Re: OT (Score:2)
You know, that used to be "You know you've been MUDding too long when.."
OMG (Score:2, Informative)
Re:OMG (Score:2, Interesting)
For a large part of that time I ran no firewall, used an online remote virus scanner sporadically at best, and reinstalled only once. In all that time, my computer contracted only one virus (a non-serious one at that), and this was due to a less computer-savvy relation of mine browsing the internet using I
Re:OMG (Score:2)
I run MS Windows 95 with no anitvirus or firewall, and don't have any problem at all with viruses, etc.
All I did was turn off everything that can be used to compromise my machine (e.g., closed port 135, turned off NetBIOS over TCP/IP, etc.).
I also have disabled scripting, plugins, etc., in my browser (Mozilla) and in my mail and news readers (Outlook Express, Mozilla and Forte Free Agent).
(I do have a proxy serv
maybe... (Score:5, Informative)
are you a home user ?
if so
http://free.grisoft.com/freeweb.php/doc/2/ [grisoft.com]
and get avg for free
Now you need a firewall
http://www.free-firewall.org/ [free-firewall.org]
then I would advice get rid of spyware with spybot
donate something to the project if you like it...
http://www.safer-networking.org/en/download/ [safer-networking.org]
regards
John Jones
dshield (Score:3, Informative)
-jim
maybe not. (Score:4, Informative)
go with FREE solutions, they exist.
http://www.free-av.com/ free virus scanning [free-av.com]
http://www.free-firewall.org/ some free firewalling [free-firewall.org]
Re:maybe not. (Score:3, Insightful)
Or is there something I'm missing?
AVG AntiVirus (Score:3, Informative)
AVAST (Score:4, Informative)
Re:AVAST (Score:2)
Re:AVAST (Score:2)
We get the same thing all the time... (Score:2, Interesting)
Either way, I'd suggest running that address through a spam block of some kind to filter out the crud or just give it up entirely if you can.
Yes (Score:3, Informative)
and is updated afaik.
Spyware removal software [lavasoft.com] is obligatory on windwos as well.
I don't get it.... (Score:5, Insightful)
The point is that you do NOT need anti-virus software. Anti-virus anti-spyware software should be used only to cleanup already busted systems. Your system cannot be infected if you take proper care to prevent it. Even if you are running windows on a cable modem all day.
1) NEVER download an e-mail attachment.
2) Use Firefox instead of IE.
3) Use Thunderbird instead of Outlook
4) Do NOT visit untrustworthy websites
5) Do NOT download any software from the internet and install it. Even if it looks trusty from tucows or download.com do a google search to see if it it spyware first.
6) Have a firewall like zone alarm or sygate, or better have another computer between you and the net with a firewall on it. Or have a hardware firewall. Proper network level security keeps the worms out almost guaranteed.
7) If you have wireless lock it down. You don't want a drive by person to start sending spam out your pipe.
8) DO get all the windows updates that are security fixes. The ones that aren't security fixes you can choose to get or not get at your own discretion.
If you do those things then there is almost no way you can get hit. It's really that simple. And if you DO get hit, its usually easier to re-install due to the degrading nature of windows. Any windows install, even a clean one, falls apart over time. The registry fills with more and more junk. Improperly uninstalled apps leave files behind here and there. Hidden variables change and are not changed back. Even the cleanest installs seem to last at most 18 to 24 months except in very controlled business environments.
Dont pay for anti-virus software, its a ripoff. Just re-install and then take proper preventative measures so it doesn't happen again.
Re:I don't get it.... (Score:2)
0) Do not run Windows 98. This is the year 2004. 1998 was released 6 years ago. Microsoft have released three (3!) major desktop operating system revisions since then. If you thought MS was bad for security now, try and remember what they were like 6 years ago!
If you won't pay for Windows XP, I am certain that you can get a free operating system that will do all the things you can do with your Windows 98 install. Y
Re:I don't get it.... (Score:5, Insightful)
Windows ME: Oh, it was major, alright - a major failure. The "Upgrade" path at the time was to revert Back to 98SE.
Windows 2000: Remember, this was marketed as "not for home use". That was what ME was for. 2000 wouldn't support many legacy apps.
So there has really only been 1 major desktop OS revision that is relevant, and given XP's poor rep, there are plenty of reasons not to upgrade.
Also, the comparison between then and now isn't valid. A large number of the exploits now target services in 2000 & XP that 98 doesn't have.
98 certainly isn't state of the art, but I don't know that I'd call 2000 or XP that either. Your most compelling argument seems to be "98 is OLD!!"
BFD.
Don't fill Bill's pockets. (Score:2)
Use a Win emulator in Linux, there are several very good out there that allow you to use your cranky copy of W98 if you need to do so.
No reason to shell out more money for the guys in Redmond.
You wanna play games? Get a PS2, a Gamecube or a GBA. They are cheaper than a full version of Windows XP.
Almost right (Score:3, Interesting)
One of the Win 95 machines has been running for 7 YEARS without having to reload the OS. I have swapped hardware in and out, and changed drivers. The last time the OS was changed was when I put the 6 Gig drive in (1997) and I needed to upgrade from Win 95 ver B to ver C (B didn't support drives that big).
One of the Win 98 machines is now 4 years old, with no reloads, t
Re:I don't get it.... (Score:3, Interesting)
A better option is for step 8 becomes: get all windows updates and security fixes ON CD, because ot
Just some clarification (Score:2)
Then how are you supposed to open it? People do send legitimate attachments.
Do NOT visit untrustworthy sites
What exactly is a trustworthy site these days? Javascript and even HTML have been used to download malicious code. Even well known and respected sites have been affected.
Proper network level security keeps the worms out almost guaranteed.
Worms yes, because they infect networks. But viruses and trojan horses infect machines.
-Do beware of emails with sin
Re:I don't get it.... (Score:2)
Free virus software is out there. (Score:2, Informative)
http://www.clamwin.net/ [clamwin.net] is an allegedly good antivirus program.
Also, http://www.spybot.info/ [spybot.info] has been alleged to be a good antispyware program.
Most likely a 'Joe-Job'...Ask your ISP about SPF (Score:5, Informative)
A recently proposed solution (though not without it's problems) is SPF (Sender Policy Framework) http://spf.pobox.com/ [pobox.com] where a domain owner can publish the list of servers which are authorized to send mail as being from a user of their domain.
Until it's widely deployed, not just on the publishing side, but on the checking side, it won't be real useful. However it's nearly trivial for the DNS owner to publish the records and since big ISPs like AOL and Yahoo are starting to check them it does protect you from being Joe-Jobbed to a large number of mailboxes.
AVG (Score:2)
I run it on my windows systems at home, too.
So consider this as another vote for AVG.
You should probably also consider a firewall, there are couple of free ones out there, including Zone Alarm and so on.
Housecall (Score:3, Interesting)
http://housecall.antivirus.com [antivirus.com]
Housecall is a web-based virus scanner that, since it is loaded anew every time, always has the latest virus definitions. Since it installs nothing but temporary cache files, you dont have to worry about it slowing down your machine.
Because of the nature of the application it can't always clean the offending virii/malware, but it will at least alert you to their presence and give you their names so that you can manually remove them. When combined with stinger [nai.com], spybot [safer-networking.org] and google [google.com] it's an excellent choice for on-site calls to machines without AV or for your old boxen that just cant afford the extra cycles for full-time AV bloat.
If you prefer to do the offline thing, try the Knoppix anti-virus distribution [oreillynet.com] (weak link I know). Once again it isn't a permanently installed application and since the OS isn't running it can slap down bugs before they're loaded into memory.
Cheers!
Re:Housecall (Score:2, Interesting)
I've used housecall a few times to scan some machines. I works pretty well, and since it's web based you don't have to install anything. The downside is that it's for IE only so it may not be an option for some (hopefully many).
For offline scanning, I'll repeat the numerous recommendations for Grisoft's AVG free scanner
http://www.grisoft.com/us/us_index.php
A fter testing it on a few machines, were planning to purchase the server edition to scan all incoming email befo
With apologies for /.-ing them (Score:2)
With apologies, because the connection I just made to them was a bit slow, there are:
http://openrbl.org/
http://moensted.dk/spa m
http://www.dnsstuff.com/tools/ip4r.ch
Unfortunately my domain is in there, because it really refers to my ISP-assigned IP, and their whole block is listed.
A good firewall is as important as antivirus (Score:2)
If you practice reasonably safe internet usage (e.g. not opening attachments you aren't expecting, not visiting websites from random links, not visiting shady websites) then your
Look at the Received-From headers (Score:2)
If the originating ip address matches your ISP, there's a good chance, though as others here have said, most of the time, these bounces are from spam that uses one address from its mailing list for the "TO" header and another for the "FROM" header.
NEVER run Windows without solid anti-virus. If something on your machine is interfering with the anti-virus, fix your machine until anti-virus runs. If your anti-virus interferes with something else, don't run that something else. Seriously. It's that dangerous.
You are being irresponsible (Score:3, Informative)
Adaware SE Personal www.lavasoft.de
Zone Alarm Firewall www.zonelabs.com
F-Prot Antivirus www.f-prot.com
All commercial products free for personal use.
Now, install those and stop the spammers, please.
Keep your definitions updated, okay?
Comment removed (Score:3, Insightful)
Re:No anti-virus software? Then stay off the net! (Score:2)
I've had anti-virus software for years and kept it up to date and it never once blocked a virus.
However, I've spent many hours undoing the damage done to my machine by the virus scanners themselves. And I've spent a lot of money buying new versions.
Which person is the sucker? The one who is constantly spending time and money maintaining virus scanner installations that never block an infection or the o
Re: (Score:2)
Re:No anti-virus software? Then stay off the net! (Score:2)
So you are the guy telling people to download random software from the internet and install it. Thank you very much.
Re: (Score:2)
Re:No anti-virus software? Then stay off the net! (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:No anti-virus software? Then stay off the net! (Score:2)
Re: (Score:2)
Re:No anti-virus software? Then stay off the net! (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Not necessarily (Score:4, Informative)
I get boatloads of these things, as well as spam (filtering is your friend) -- my email address is fairly public and in a lot of address books. I'm not about to abandon it as it's within a domain I lease.
I run behind a fairly hardened firewall, and am moving towared a Linux iptables-based firewall/router/home server.
What ticks me off is when such a message bounce indicates that the original message contained a virus. How dare someone accuse me of sending a virus just because their mail daemon received a spoofed From: header? They could at least check the route the mail took against that header to get an idea if it's bogus. But, often automatic smam/virus filters are pretty stupid and trust the From: address. Still, I wonder if someone, somewhere, "out there" is blacklisting me because someone else forged my identity. Sounds like a defamation suit if I could find the bastards.
And that's the rub. Often when I've received such bounces, when the originator can be identified, they refuse to help in providing a copy of the original email, headers intact, that might permit tracking down the source: either a spammer, or a spam-zombie. I wonder if I could sucessfully file "theft of computer services" charges against such an organization: they're sending me unsolicited bounces, and furthermore, refusing to backup the allegation that they're bouncing messages from me. I wonder if the anti-spam legislation that's out there can be used as a club against those who send bounces to spoofed From: addresses and refuse to acknowledge or correct their mistake.
Re:Not necessarily (Score:2)
I'm not talking about any of the email headers. I'm talking about the actual IP address of the email filter that contacted my SMTP server with the bogus bounce: it, unfortunately, trusted the From: address.
Now, this could come from a zombie, or an SMTP proxy, but in either case, there exists a party that can be held responsible
here's a list (Score:2)
I've used AVG. Some people prefer AntiVir.
Housecall (Score:2)
Instead, I run a web-based anitvirus program (http://housecall.antivirus.com/ [antivirus.com]) about once a month.
Obviously I also take other precautions - only connect to the internet via a NAT router, never open email attachments, etcetera but Housecall is good, and it's free.
Free anti-virus software (up to 1 year trial) (Score:2)
This was mentioned on /. a while back, but /. search is down and I couldn't find it quickly on Google.
A great free solution for you. (Score:2)
Heh (Score:2, Informative)
(Okay, mod me flamebait now, it was worth it!
Spoof. (Score:2)
Just stoppit! (Score:2)
Stop Using Microsoft Products!
Basic PC Meds. All free. (Score:2, Informative)
Avast Home Edition Virus Scanner [avast.com]
Spybot Search and Destroy [safer-networking.org]
HijackTHIS - Find out whats in your PC. (semi-advanced)
The site for HiJackThis [spywareinfo.com] seems to be down for now. THere are a few other little nifty freebie aps in there, too. Heres a mirror download site [spychecker.com]
AdAware [lavasoftusa.com] - picks up a lot of crap in your PC
(Anyone wanna offer up a few opinions on this stuff? You know you do.)
Of course, the obligatory comment of "Use Mozilla, keep your shit patched, don
Re:Another stupid ask slashdot (Score:5, Insightful)
We should never insult folks for asking "stupid" questions, but rather admire the courage it took to ask.
Re:Another stupid ask slashdot (Score:2)
Re:Another stupid ask slashdot (Score:2)
"Are there any free virus scanners?"
And:
"Which free virus scanners do you recommend?"
If this guy had spent even 5 seconds on Google, he'd KNOW there are free virus scanners for Windows all over the place. The first entire page of results for "free virus scanner" are all free virus scanners for Windows.
This guy just didn't put in any effort at all.
For the record, I recommend AVG Antivirus and Sygate Personal Firewall. ZoneAlarm might look pretty, but it's hard to configur
Re:Another stupid ask slashdot (Score:2)
Ummmm, where can I get some of that? I think it would impress the ladies.
You're an idiot. (Score:2)
He probably just used his email address online once, or sent email to someone who's infected. Now his email address is seen as a good defl
Not so idiotic (Score:2)
Also, my DSL modem has a "WAN" light, but nothing to say what's coming in vs going out. Turning logging on demonstrated that nearly all unaccountable activity was incoming probes, and I breathed easier. I also helped more than one sysadmin/netadmin identify zom
Re:AVG free (Score:2)
Correction (Score:2)
Bold portion my addition.
zombified? (Score:2)