warnsmtpd - Spam Worm detector for Linux Desktop.

A tool to identify spam worms.

warnsmtpd is a tool that exposes worms that sends Spam messages. warnsmtpd runs as a background daemon and identifies worms when they send the spam messages. As a result it activates a warning window.

Download

Currently there is only one version which you can download here

Basic operation description

• The use of /proc/net/tcp

• Correlation with other info in /proc

• Kernel dependency

• An example of a warning

• What to do when a warning is displayed

Project summary page: http://sourceforge.net/projects/warnsmtpd

Contact information
Currently you can contact me for everything regarding warnsmtpd

Gratitude

The story behind warnsmtpd

---

The use of /proc/net/tcp

The Linux kernel provides visual information presented as files about internal kernel data. Among which there is information about network activity. The file /proc/net/tcp is the reflection of kernel network activity in TCP protocol. From this file warnsmtp finds SMTP by examining the fields:

1. To address

2. To port (25)

3. socket inum

---

Correlation with other info in /proc

When warnsmtpd detects a record that it's to port is 25 (SMTP) it tries to match  this activity to a process. The indicator is the socket inum. By scanning all processes in /proc/PID/fd warnsmtpd can eventually find the process that does the SMTP connection. Now all we have to do is display information about the process.

---

Kernel dependency

With all that in mind we have to remember that kernel data structures as represented in /proc can change and would enforce changes in warnsmtpd code.

---

An example of a warning message.

---

What to do when a warning is displayed

• Make sure you did not just post an e-mail messages because if you did, then probably there is nothing wrong.

• See if you can identify the remote address. This should be a mail exchange server. Maybe this can lead you to the area where the originator of the worm is from.

• You have the pid and executable name of the villain process. Check it's parent process ID and see if you are familiar with it.

• Kill the darn process and if it makes sense, kill also it's parent process.

Dictionary

What is a Spam message?

A Spam message (sometimes called an unsolicited message) is a message that was sent to you without your permission (you did not specifically give your e-mail address to them). Most of the time the Spam message is an advertising and many times the adds are about goods which their legal state is in question. In order for an organization to send you a Spam message they have to obtain your e-mail address first. The easiest way for them to get your e-mail address is by buying address lists. E-mail address collection is performed by collecting addresses from various public mailing lists and other resources which people register themselves in.
The best way to avoid Spam messages is not to register your e-mail address in organizations you are not absolutely sure that they are safe.

---

Spam filters and what they do:

As a result of the increasing amount of Spam messages, solutions were developed to inhibit the spread of those messages. The most common solution is to remove a Spam message from the mailbox. This solution does not inhibit the message from traveling to it's destination and therefore does not reduce traffic. One important thing about spammers is that they check returned messages, that were returned to them due to non existent recipient, and then remove those non existent recipients from their dispatch list. The Spam filter solution which removes the Spam message from the mail folder does not generate an undelivered bouncing mail and therefore does not eventually cause a removal of the recipient from the Spam initiator dispatch lists.
Spam filter companies focus on the opportunity they now have, to sell as much, for as much money as possible. They do not take responsibility of the quality of their solution and many times, in their rush they take the good with the bad.

In my case, the reason my messages were marked as Spam was probably because I use formal e-mail identity which is then forwarded to the actual email address that is provided by my ISP. I understand many people do the same and most likely get the same result.

---

What is a worm?

A worm is a computer program that was planted in to your system and that, like a computer virus, performs operations you normally will not allow. Recently most of the worms are designed to send unsolicited - Spam e-mail messages. Many times those worms, in the attempt to hide the originator, will use your address book as a resource to assign the "From:" field.

---

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol. A mechanism that sends e-mail messages.

---

Gratitude

Simion Tiberiu from Cyprus who gave me the idea.
Michael Ben-Nes from cannan.co.il for advice about performance.
net-tools developers for some code ideas I took from netstat code.
rob from bluerobot.com for this web page layout and style.

---

The story behind the project

Not too long ago I started receiving warnings from colleagues that my e-mail messages were marked as spam by their mail filter.  I assumed I was infected by some kind of a worm.
A friend of mine, who currently lives in Cyprus, told me that they have a service which sends them an SMS whenever their credit card is charged. This way they can make sure that the use of the card is done by the owners.
This is exactly what warnsmtpd does. Whenever there is an SMTP activity, the user receives a warning window.
This service is designed to be used on a Linux desktop machine. I expect the end user - yourself, to view the warning window and identify the reason. Would you just have sent an e-mail message and the warning window blames your e-mail client, then everything is OK. However, would the warning window appear at any other time then it is likely to be a computer worm which sends e-mail messages from your machine.

Back to top