A tool to identify spam worms.

warnsmtpd is a tool that exposes worms that sends Spam messages. warnsmtpd runs as a background daemon and identifies worms when they send the spam messages. As a result it activates a warning window.


Currently there is only one version which you can download here

Basic operation description

Project summary page: http://sourceforge.net/projects/warnsmtpd

Contact information
Currently you can contact me for everything regarding warnsmtpd


The story behind warnsmtpd

The use of /proc/net/tcp

The Linux kernel provides visual information presented as files about internal kernel data. Among which there is information about network activity. The file /proc/net/tcp is the reflection of kernel network activity in TCP protocol. From this file warnsmtp finds SMTP by examining the fields:

  1. To address

  2. To port (25)

  3. socket inum

Correlation with other info in /proc

When warnsmtpd detects a record that it's to port is 25 (SMTP) it tries to match  this activity to a process. The indicator is the socket inum. By scanning all processes in /proc/PID/fd warnsmtpd can eventually find the process that does the SMTP connection. Now all we have to do is display information about the process.

Kernel dependency

With all that in mind we have to remember that kernel data structures as represented in /proc can change and would enforce changes in warnsmtpd code.

An example of a warning message.

The program /usr/bin/telnet  pid 15911 sends SMTP message using tcp Protocol toThe program /usr/bin/telnet  pid 15911 sends SMTP message using tcp Protocol to  Remote_Address

What to do when a warning is displayed


What is a Spam message?

A Spam message (sometimes called an unsolicited message) is a message that was sent to you without your permission (you did not specifically give your e-mail address to them). Most of the time the Spam message is an advertising and many times the adds are about goods which their legal state is in question. In order for an organization to send you a Spam message they have to obtain your e-mail address first. The easiest way for them to get your e-mail address is by buying address lists. E-mail address collection is performed by collecting addresses from various public mailing lists and other resources which people register themselves in.
The best way to avoid Spam messages is not to register your e-mail address in organizations you are not absolutely sure that they are safe.

Spam filters and what they do:

As a result of the increasing amount of Spam messages, solutions were developed to inhibit the spread of those messages. The most common solution is to remove a Spam message from the mailbox. This solution does not inhibit the message from traveling to it's destination and therefore does not reduce traffic. One important thing about spammers is that they check returned messages, that were returned to them due to non existent recipient, and then remove those non existent recipients from their dispatch list. The Spam filter solution which removes the Spam message from the mail folder does not generate an undelivered bouncing mail and therefore does not eventually cause a removal of the recipient from the Spam initiator dispatch lists.
Spam filter companies focus on the opportunity they now have, to sell as much, for as much money as possible. They do not take responsibility of the quality of their solution and many times, in their rush they take the good with the bad.

In my case, the reason my messages were marked as Spam was probably because I use formal e-mail identity which is then forwarded to the actual email address that is provided by my ISP. I understand many people do the same and most likely get the same result.

What is a worm?

A worm is a computer program that was planted in to your system and that, like a computer virus, performs operations you normally will not allow. Recently most of the worms are designed to send unsolicited - Spam e-mail messages. Many times those worms, in the attempt to hide the originator, will use your address book as a resource to assign the "From:" field.

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol. A mechanism that sends e-mail messages.


Simion Tiberiu from Cyprus who gave me the idea.
Michael Ben-Nes from cannan.co.il for advice about performance.
net-tools developers for some code ideas I took from netstat code.
rob from bluerobot.com for this web page layout and style.

The story behind the project

Not too long ago I started receiving warnings from colleagues that my e-mail messages were marked as spam by their mail filter.  I assumed I was infected by some kind of a worm.
A friend of mine, who currently lives in Cyprus, told me that they have a service which sends them an SMS whenever their credit card is charged. This way they can make sure that the use of the card is done by the owners.
This is exactly what warnsmtpd does. Whenever there is an SMTP activity, the user receives a warning window.
This service is designed to be used on a Linux desktop machine. I expect the end user - yourself, to view the warning window and identify the reason. Would you just have sent an e-mail message and the warning window blames your e-mail client, then everything is OK. However, would the warning window appear at any other time then it is likely to be a computer worm which sends e-mail messages from your machine.

Back to top