warnsmtpd
is a tool that exposes worms that sends Spam messages. warnsmtpd runs as a
background daemon and identifies worms when
they send the spam messages. As a result it activates a warning window.
Currently there is only one version which you can download here
Project summary
page: http://sourceforge.net/projects/warnsmtpd
Contact information
Currently you can contact me
for everything regarding warnsmtpd
The Linux kernel provides visual information presented as files about internal kernel data. Among which there is information about network activity. The file /proc/net/tcp is the reflection of kernel network activity in TCP protocol. From this file warnsmtp finds SMTP by examining the fields:
To address
To port (25)
socket inum
When warnsmtpd detects a record that it's to port is 25 (SMTP) it tries to match this activity to a process. The indicator is the socket inum. By scanning all processes in /proc/PID/fd warnsmtpd can eventually find the process that does the SMTP connection. Now all we have to do is display information about the process.
With all that in mind we have to remember that kernel data structures as represented in /proc can change and would enforce changes in warnsmtpd code.
Make sure you did not just post an e-mail messages because if you did, then probably there is nothing wrong.
See if you can identify the remote address. This should be a mail exchange server. Maybe this can lead you to the area where the originator of the worm is from.
You have the pid and executable name of the villain process. Check it's parent process ID and see if you are familiar with it.
Kill the darn process and if it makes sense, kill also it's parent process.
A Spam message (sometimes called an unsolicited message) is a
message that was sent to you without your permission (you did not
specifically give your e-mail address to them). Most of the time the
Spam message is an advertising and many times the adds are about goods
which their legal state is in question. In order for an organization to
send you a Spam message they have to obtain your e-mail address first.
The easiest way for them to get your e-mail address is by buying
address lists. E-mail address collection is performed by collecting
addresses from various public mailing lists and other resources which
people register themselves in.
The best way to avoid Spam messages is not to register your e-mail
address in organizations you are not absolutely sure that they are safe.
As a result of the increasing amount of Spam messages, solutions
were developed to inhibit the spread of those messages. The most common
solution is to remove a Spam message from the mailbox. This solution
does not inhibit the message from traveling to it's destination and
therefore does not reduce traffic. One important thing about spammers
is that they check returned messages, that were returned to them due to
non existent recipient, and then remove those non existent
recipients from their dispatch list. The Spam
filter solution which removes the Spam message from the mail folder
does not generate an undelivered bouncing mail and therefore does not
eventually cause a removal of the recipient from the Spam initiator
dispatch lists.
Spam filter companies focus on the opportunity they now have, to sell
as much, for as much money as possible. They do not take responsibility
of the quality of their solution and many times, in their rush they
take the good with the bad.
In my case, the reason my messages were marked as Spam was probably because I use formal e-mail identity which is then forwarded to the actual email address that is provided by my ISP. I understand many people do the same and most likely get the same result.
A worm is a computer program that was planted in to your system and
that, like a computer virus, performs operations you normally will not
allow. Recently most of the worms are designed to send unsolicited -
Spam e-mail messages. Many times those worms, in the attempt to hide
the originator, will use your address book as a resource to assign the
"From:" field.
SMTP stands for Simple Mail Transfer Protocol. A mechanism that
sends e-mail messages.
Simion Tiberiu from Cyprus who gave me the idea.
Michael Ben-Nes from cannan.co.il for advice about performance.
net-tools developers for some code ideas I took from netstat code.
rob from bluerobot.com for this web page layout and style.
Not too long ago I started receiving warnings from colleagues that
my e-mail messages were marked as spam by their mail filter. I assumed I was
infected
by some kind of a worm.
A friend of mine, who currently lives in Cyprus, told me that they have
a service which sends them an SMS whenever their credit card is
charged. This way they can make sure that the use of the card is done
by the owners.
This is exactly what warnsmtpd does. Whenever there is
an SMTP activity, the user receives a warning window.
This service is designed to be used on a Linux desktop machine. I
expect the end user - yourself, to view the warning window and identify
the reason. Would you just have sent an e-mail message and the warning
window blames your e-mail client, then everything is OK. However, would
the warning window appear at any other time then it is likely to be a
computer worm which sends e-mail messages from your machine.