Zombie or Spoof?

Question

I got an e-mail today from an Army spam blocker that (a message) with my email address was blocked as spam. I normally leave our computer on all the time with McAfee Security Center. Is this spam problem because someone somewhere else is using my e-mail address to send spam or because someone has somehow hijacked my computer and using it as a "zombie"?

- Carl

Answer

This question was answered on March 16, 2007. Much of the information contained herein may have changed since posting.

A couple of years ago we saw the beginning of wide spread use of "zombie" mail viruses that could turn any ordinary computer into a silent sender of spam, phishing scams and the like.

The use of "spoofed" sender addresses has also been in wide use by the bad guys for a number of years, so either scenario is possible in your case.

Generally speaking, if your machine was being used as a zombie, the hackers wouldn't use your address as the sender because it would make it too easy to track back to your machine (and get shut down).

Remember staying under the radar is very important for these cyber-thugs so an infected system will continue to silently do their dirty work.

It is more likely that your e-mail address was randomly chosen from a database of known good addresses to make it more difficult to determine where the message was actually coming from.

There are a number of ways that your address could have become a participant in these types of schemes, but one in particular is common.

If you have ever clicked on the "take me off your list" link in a junk message, you likely fell prey to one of the oldest tricks in the spammer's handbook.

You see, by getting you upset and encouraging you to click on the "take me off your list" link, you simply verified that your address was valid (Never respond in any way to junk messages and never request to be removed from a list that you never asked to be on in the first place.)

There was a time when you could determine the point of origin from the IP (Internet Protocol) address in the message header (Alt-Enter with the message selected in your Inbox, then click on Details for most Microsoft e-mail programs) but even that information can be spoofed if the spammer is clever enough

You mentioned that you are using a commercial firewall product which is also designed to warn you when something in your computer is trying to use the Internet

A zombie program uses its own system for sending the messages, so it would have to get permission from your firewall program (usually asks you to allow or deny access) before it could do its dirty work.

In previous columns, I wrote about the number of processes running in a Windows XP system being an indicator that rouge programs may be (but not necessarily) rummaging around in your computer (Press Ctrl-Alt-Del to open the Task Manager and look in the bottom left corner for the number running in your system.)

When we service a computer, we like to try to get this number under 40 processes If your computer is running 50 or more processes, you may want to take the time to figure out what all those programs are just to play it safe (My column on cleaning up excess processes is posted at http://www.datadoctors.com/help/kenscolumns

Today's generation of virus code is very sneaky and can hide from many of the most popular security programs especially when they are hiding inside of something else (Trojan horse) so always be careful what you allow into your computer.

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on March 16, 2007