Killing Spam Zombies Made Easy - Detecting Unexplained Network Traffic

An active spam zombie system will generate network traffic. If you can eliminate all known sources of network traffic, and still are seeing activity you may have a problem.

Note the caveat of "active" - even if there isn't any unexplained network traffic, it is possible your network may have compromised systems that are sitting idle. Advanced system administrators may want to setup security logging on the router level to catch off-hours activity, but that goes beyond the scope of this article.

Turn all your computers on, and ensure no one is using them. Shutdown any backup jobs or other processes that may generate network access. If you're in a work environment, this may be best done after-hours.

Now, go look at your main router. You presumably shouldn't be seeing any significant traffic.

If the "traffic" light is generally off, you're probably in the clear. A periodic blip or two likely isn't cause for alarm. However, if you see a lot of traffic - you might have a problem.

Just because you have unexplained network traffic doesn't necessarily mean you have a zombie infestation. It does mean you need to do some additional investigating.

The next step is to isolate which system or systems are responsible for the questionable traffic.

SpamButcher is a powerful anti-spam email filter than can kill spam generated by zombies or other sources.

Next: Identifying suspect systems >>