Does your Network have Spam Zombies? (Part 2)

The first part of this article dealt with how to recognize and isolate unexplained network activity. This segment will help you determine if a spam zombie is responsible for the unexplained traffic.

The purpose of spam zombies is to send spam. Once you have the ability to directly look at the mystery network traffic, it will be pretty easy to recognize if that's what's going on. If the source of the activity is something else, looking at the traffic can give you a clue what might be going on.

First, you will need to install a network tool known as a packet sniffer on the suspect system. Ethereal is a good free one. You can download Ethereal from http://www.ethereal.com. Be sure to download and install WinPcap first, as it's needed for Ethereal to function.

It may be possible to install Ethereal on just one system to scan the entire network, but that depends on your system configuration and network topology.

Once Ethereal is installed, click the left most button on the toolbar. Then, click the "Capture" button. This will begin logging all network traffic to and from your system. Wait a minute or so, then click "Stop."

You now have a sample of the unexplained traffic. The protocol used to send email (including spam) is called SMTP. As a technical note, SMTP is sent via the TCP/IP port 25. In Ethereal, SMTP traffic is easy to identify. If your log looks something like the picture below, you've almost certainly got a spam zombie on your hands.

If the system is the source of other unexplained traffic, it may also be a problem. Google can be a good resource in identifying the nature of the unexplained packets.

If you're having a problem with receiving spam from spam zombies, SpamButcher's anti spam filter software can help. SpamButcher's free 30-day trial version can be downloaded from this site.

The next part of this series will suggest the proper protocol for dealing with spam zombie systems. It won't be pretty.

Back