Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Am I a Spam Zombie?

Cliff posted more than 9 years ago | from the how-can-you-know-for-sure dept.

Spam 160

ReallyCurious asks: "Recently, I've noticed a lot of junk email in my inbox reporting 'Mail delivery failure' or 'Undeliverable'. Some of these had documents attached, so I figured this was just a worm variant. But these messages keep coming. I worry that my machine has been turned into a 'Spam Zombie'. I don't see any suspicious processes running, but maybe it only runs for a few seconds, and at irregular times. I run a Windows 98 laptop, sometimes wirelessly connected to broadband (a few hours a day, on average), but I had to remove my virus software years ago because it was locking my system up, so I'm wide open. I've tried to be a good citizen and have been shopping for new virus software, but prices are running $40-$70, and most of these are just for upgrades (not even counting the mandatory 'subscriptions')! Is there an open or free virus fighting solution that's reliable and available for Windows? I'd be happy to run it ASAP."

cancel ×

160 comments

Sorry! There are no comments related to the filter you selected.

Well... (4, Informative)

hookedup (630460) | more than 9 years ago | (#10137227)

It may not be your system spewing out spam, but simply someone spoofing your domain.. happens to me every once in a while

Re:Well... (1)

hookedup (630460) | more than 9 years ago | (#10137242)

Oh yeah, click <a href="http://www.grisoft.com/us/us_index.php">here </a> for a free antivirus app

Re:Well... (0)

Anonymous Coward | more than 9 years ago | (#10137258)

Get some coffee....here [grisoft.com] for it

Re:Well... (2, Informative)

tooth (111958) | more than 9 years ago | (#10137294)

Yeap, AVG [grisoft.com] does a good job. It's certainly better than nothing.

Also try the no cost version of Zone Alarm [zonelabs.com] .

These are basic and no cost bits of software I run on my parents machines (and Firefox ;-) ... Though I'd love to buy them a mac one day :)

Re:Well... (1)

SiliconJesus (1407) | more than 9 years ago | (#10137406)

Agreed - I've been running it at home for about a year and a half. AVG is a good AV with regular updates. Don't forget to update often.

Re:Well... (1)

hackwrench (573697) | more than 9 years ago | (#10137834)

The license is a little bit weird though. 2. You may install and use only one copy of the Software for single home or non-commercial organization computer protection only, irrespective of the number of times you download the Software or the number of licenses you purport to accept. 3. You may not use the Software on a network or more than one PC. If your house has more than one computer, I guess you're out of luck. Also, they don't define network, but the internet is a network, and somehow I don't think they really mean that you can't use it on your internet connected computer. It's be practically useless otherwise. Anybody got an opinion on whether or not sneakernet is actually a network?

bottom line (0)

Anonymous Coward | more than 9 years ago | (#10137919)

no, you aren't a spam relay. configure your smtp servers and domain names with spf and you will reduce but not end the spam being spoofed from your email address.

Another option: (1)

BrokenHalo (565198) | more than 9 years ago | (#10140241)

He could try simply deleting Lookout! Express and replacing it with some less vulnerable mail client. The majority of the viruses I've seen involve that horrible package in one way or another, and ditching it removes at least part of the problem.

Re:Well... (3, Insightful)

walt-sjc (145127) | more than 9 years ago | (#10137324)

Exactly. Email worms and spammers frequently forge the sender. The problem is clueless mail adminitrators that configure their mail relays to accept mail to anyone (even unknown users) and then generate a bounce message when it can't be delivered (user unknown...) All scanning (spam and AV) and user verification really needs to be performed at initial SMTP reception and not after the fact.

Unfortunately, older versions of Exchange are stupid in this respect, and accept pretty much anything. I believe you even have to specifically configure the newer versions of exchange too to behave correctly (someone correct me if I'm wrong here... I no longer use exchange, just read about how 2003 works...)

IMHO, if you are running an older version of exchange without a good Unix relay in front of it that can do all this validation and scanning for you, you are a big part of the problem.

qmail as well (1)

devphil (51341) | more than 9 years ago | (#10139817)


("Frequently"? They always forge the sender. Anyhow...)

I really like qmail, but it does make the braindead design of accepting mail, then processing it. (For reasons of efficiency or something; it's supposed to be a feature.)

The folks at LinuxMagic make a replacement [linuxmagic.com] that's a bitch to get working, but does all kinds of checking during the SMTP transaction, like valid user checking, virus scanning, etc. You're supposed to be able to plug in arbitrary checkers, but I never got around to trying. The valid-user checking alone is worth it. (They have a funny logo, too.)

Re:qmail as well (1)

brunson (91995) | more than 9 years ago | (#10140870)

Postfix has a load of builtin capabilities to do RBL and RHSRBL checks and other cool stuff before accepting a mail message.

Check it out.

Re:Well... (3, Informative)

sheddd (592499) | more than 9 years ago | (#10139825)

Instructions on how to do recipient filtering w/exchange:

Here [asp.net] and here [msexchange.org]

(btw filtering is off by default)

Re:Well... (1)

stevesliva (648202) | more than 9 years ago | (#10140933)

Yup, if you use your undisguised hotmail address on every one of your slashdot postings-- hypothetically, of course--you will see many bounce notices that dutifully land in your hotmail junk mail folder, using up your meager 2MB quota 40KB at a time.

Re:Well... (1)

Domini (103836) | more than 9 years ago | (#10137337)

Yup, this is just spoofing... don't give it a second thought.

Most probably some virus/worm somewhere.

I just got a bounce message today where I allegedly sent a message to someone that bounced. Strange thing it was sent from a dormant e-mail of mine which is not configured anywhere in any of my local programs and only an old 'official' contact on the web. (A mail alias on my domain...)

So I would not worry.

I'm running this XP box, with SP 4 (Using Kerio Personal Firewall 2.1.5 instead of windows's one) as well as having the lates updated Norton Internet security running and scanning all my outgoing mail for me. The I have also bought AdAware SE, and I KNOW I'm clean. (And My other boxes are Apple and Linux... and not configured for mail...)

And, Oh please, don't post any more queries until you have a Real OS installed.

Re:Well... (1)

AvitarX (172628) | more than 9 years ago | (#10137421)

<i>Yup, this is just spoofing... don't give it a second thought.</i>

I would give it a second thought, it is likley someone you have had an email corispondence with and can therfore warn.

The best bet is to find out what virus it is (scan the email). And tracert the originating IP address. this should give you the ISP and maybe a state. Look up the virus to find the file names it creates and tell your family/friends that match the ISP/location to search for the file.

Most Virii can be removed by deleting a registry key rebooting, killing one file.

Re:Well... (2, Informative)

Anonymous Coward | more than 9 years ago | (#10137881)

As he said, the email address is inactive, but is displayed on the web. Spammers don't just look on the web for email address to spam, but also address to spoof spam from. The only connection he had with the spammer was an http connection for 1/2 a second.

Re:Well... (1)

AvitarX (172628) | more than 9 years ago | (#10138241)

Your right, I was looking at it as a virus email receiving problem and not a spam one.

With a little bit of thought, someone without a large web presance can find out who is the infected computer sending them virus email relativly easily.

Spam zombies tend to be people you don't know though.

Re:Well... (1)

kyhwana (18093) | more than 9 years ago | (#10137438)

SP4 for XP? WOW!
Are you from the future? ;)

Re:Well... (2, Informative)

Idealius (688975) | more than 9 years ago | (#10137961)

The story submitter is worried about his machine, not someone elses and if he wants to be sure he has no spyware on his system he should use HijackThis by Merjin:

http://www.spywareinfo.com/~merijn/ (official site, down ATM)

http://www.tomcoyote.org/hjt/

Many popular anti-spyware forums accept posting a HijackThis log their HijackThis expert members can examine and advise you on. (e.g. The LavaSoft AdAware forums allow this but they require you post an AdAware log first :)

Anyway, HijackThis is fairly manual as far as you need to know what you're doing to use it properly. However, if spyware is on your system it will be in a HijackThis scan result as it shows your computer's startup programs/services (legitimate or otherwise) in all known places they exist on your computer.

Also, removing persistent spyware can get complicated using anything and this applies to HijackThis, too.

I suggest you use Process Explorer to aid you if you're ever in this situation:

http://www.sysinternals.com/ntw2k/freeware/proce xp .shtml

The common approach for persistent spyware is to have 3+ processes running on your system, one that actually performs the spyware function and the other two which monitor the spyware process and each other. With Process Explorer You can susped processes that monitor other dummy processes that all make sure you A. Don't remove their startup entries and B. Don't try and terminate the spyware's running processes. They don't monitor whether their buddies are suspended, though so you can just suspend all of them after you've identified them, end them all, then remove the HijackThis entries now that the spyware startup entries aren't protected anymore. :)

There's also the 'Find Handle' feature which can be useful as some old methods of startup can run processes so they are a subset of Explorer rather than a seperate process name in Task Manager > Processes tab. This is also a good way to find spyware DLL's.

Anyway, as a technician, that's what I would do. Learning HijackThis and Process Explorer allow you to tune up a computer like you would a car.

Re:Well... (1)

Wingit (98136) | more than 9 years ago | (#10138374)

Good recommendation on running a Real OS Domini, but you are running XP SP4? I am impressed. You are not just running a real OS, but actually running a future OS. Kudos!

Re:Well... (0)

Anonymous Coward | more than 9 years ago | (#10137420)

usually real undeliverable messages include a lot of information and not just a subject, a short body and an infected attachement.

It is most likely another system that is infected and spoofed the "to" and "from" addresses.

here is an example of body of a real delivery failure:

Failed to deliver to 'prova2341241233@domain'
SMTP module(domain blabla.domain) reports:
host mailhost.somedomain says:
550 5.1.1 ... User unknown

Reporting-MTA: dns; domain

Original-Recipient: rfc822;
Final-Recipient: rfc822;
Action: failed
Status: 5.0.0

Received: from [192.168.1.1] (HELO [192.168.2.1])
by domain
with ESMTP id 0300320 for prova2341241233@domain; Thu, 02 Sep 2004 14:09:21 +0200
Message-ID:
Date: Thu, 02 Sep 2004 14:09:24 +0200
From: me
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803
X-Accept-Language: en-us, en, ja
MIME-Version: 1.0
To: prova2341241233@domain
Subject: dsf
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Re:Well... (0)

Anonymous Coward | more than 9 years ago | (#10138036)

This is the worse Ask Slashdot ever. Good god... now the "news for nerds, stuff that matters" has turned into "tech help for the completely incapable newbies"?

Not necessarily (1)

SpaceLifeForm (228190) | more than 9 years ago | (#10137232)

Most of those are forged to look like bounces.

No (4, Insightful)

sa3 (628661) | more than 9 years ago | (#10137234)

The bounces you're getting are from other spam using you as the From address. Spam sent from your machine would have random addresses not necessarily your own. But you might still have a trojan running that could be used to send spam so you should check.

Why? (3, Insightful)

Anonymous Coward | more than 9 years ago | (#10137236)

What makes you think you're going to get delivery failures for outgoing spam? If you're a spam zombie, I doubt it is going out with your email in the from: field.

eh (2, Insightful)

doofusclam (528746) | more than 9 years ago | (#10137238)

Why not run a free firewall and watch for any alerts that something is trying to connect to the internet? Zonealarm will do fine.

If you're a bit more techie you can use winpcap or similar to capture the traffic.

There's no excuse to be wide open. You'll soon do something about it when your ISP wakes up to the problem and cuts you off. I appreciate how people can get caught inadvertantly by malware (I was hosting a trojan for a few hours last week inbetween upgrades) but I don't appreciate you leaving it this long, then asking slashdot when it's plainly obvious what you need to do.

Cheers.

Re:eh (1)

oKtosiTe (793555) | more than 9 years ago | (#10137253)

He's not the one infected, and thus shouldn't have anything blamed on him.

Re:eh (1)

doofusclam (528746) | more than 9 years ago | (#10137566)

But they've stated they're running an insecure and unsupported OS without any protection. That's asking for trouble and bad netiquette (horrible word...)

It won't take an hour to at least load up Zonealarm, Ad-Aware, Spybot and run a free virus check on www.ravantivirus.com, so there's no excuse.

You're not infected (2, Interesting)

oKtosiTe (793555) | more than 9 years ago | (#10137240)

I've been having the same, and I know for a fact I'm not infected. This is just another worm.

You should be fine. (4, Informative)

FrenZon (65408) | more than 9 years ago | (#10137244)

Most likely your email address is getting used as the return address and little more - the returned mail thing affects everyone to some degree. If you were being used as a spam zombie, you'd probably not notice any change in returned mails, as the zombies generally use someone else's address again as the return addy. I'm fairly sure the return addresses aren't always randomised, as on my domains I see a bucketload of spam all from the same email address, so whoever lives there must be getting a bucketful of bounces.

Still, you really should get an antivirus solution to ease your worries. I use AVG from Grisoft [grisoft.com] , which is available in a free edition.

Of course, the bounces are plain annoying - when I get ACTUAL bounces from mail I send, I often delete them based on subject line, not realising that the person I was trying to contact is none the wiser. Booo

Re:You should be fine. (1)

theonetruekeebler (60888) | more than 9 years ago | (#10139919)

My e-mail address keebler@mindspring.com [mailto] , has been around since 1994, and very often used unobscured during those early years. It is quite well known to spammers and is often used as a forged header. My father recently recieved an ActiveX virus sent using my address in the "From:" field. He was suspicious, as I know how to spell and form sentences like a native English speaker, and don't send him attachments other than amusing .jpegs

But I'm scared of my more technically naive mother getting zapped this way, so I will probably have to retire that address. I resent that very much.

Early retirement (1)

Jouni (178730) | more than 9 years ago | (#10140516)

Dude,

you just published your address on SlashDot as a mailto link. :) Talk about shooting yourself in the foot...

Jouni

Re:Early retirement (2, Insightful)

theonetruekeebler (60888) | more than 9 years ago | (#10140828)

Dude, Given my current valid/invalid ratio is below .01 already, any mail bombs will just be bouncing the rubble.

ultimate firewall (3, Funny)

cuiousyellow (89995) | more than 9 years ago | (#10137247)

The poster sounds like a good candidate for MJR's ultimately secure firewall [216.239.39.104] .

Try Zonealarm [zonelabs.com] ?

Re:ultimate firewall (1)

silverfuck (743326) | more than 9 years ago | (#10137339)

The poster sounds like a good candidate for MJR's ultimately secure firewall.

The poster is "wirelessly connected", you dolt! ;-)

Try Zonealarm?

That's more like it. Or better yet, Kerio Personal Firewall [kerio.com] .

Re: OT (1)

E_elven (600520) | more than 9 years ago | (#10140949)

You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...

You know, that used to be "You know you've been MUDding too long when.."

Good god (-1, Flamebait)

Finni (23475) | more than 9 years ago | (#10137250)

In a word, yes. You are a spam zombie. Or possible Typhoid Mary. Your Windows OS is 6 years old at this point. No wonder, you're too cheap to purchase AV software, which (for several years) has been the cost of entry to be a responsible Windows user. Yes, there is free AV software available for Windows. Ask Google. I don't have any first-hand experience with them myself, so I can't recommend any specific ones. Personally, I run Symantec Corporate Edition.

You're an idiot. (1)

Ayanami Rei (621112) | more than 9 years ago | (#10137943)

Bounce messages are completely non-indicative of spam zombie status. I would bet my entire life savings that his email address is in the list of fake address that various mailer worms or spam programs use as the fake "From:" header. Sometimes those lists are automagically pulled from internet searches. So that way he gets innundated with bounce messages, not the spammer.

He probably just used his email address online once, or sent email to someone who's infected. Now his email address is seen as a good deflection target.

I should know. I get tons of emails like this on various accounts that I've used on message boards or mailing lists.

The one way to know if you're a zombie bot (without doing a scan for rogue software) is when you seem to be uploading a lot of data, or have lots of bursty system activity for no discernable reason.

Not so idiotic (1)

theonetruekeebler (60888) | more than 9 years ago | (#10139689)

Windows (and other reasonably complex OSs) often get very busy for reasons difficult to discern. My old, crap laptop gets all but frozen when it starts swapping in earnest, or during dramatic GC sweeps. I've learned when to expect these, though.

Also, my DSL modem has a "WAN" light, but nothing to say what's coming in vs going out. Turning logging on demonstrated that nearly all unaccountable activity was incoming probes, and I breathed easier. I also helped more than one sysadmin/netadmin identify zombies on their own networks, but it took some learnin' to see what probes were harmless vs those that were malicious. You're absolutely right about bounce messages---a brief "View Sources" against the headers, particularly the Received-From header, usually shows their origin being very far away from me.

OMG (2, Informative)

cL0h (624108) | more than 9 years ago | (#10137254)

You're running Windows 98 with no virus software. I'm surprised you can use the machine at all. I constantly get requests from people to clean up their Win98 machines. They are usually riddled with spyware, trojans and diallers. Don't bother with new antivirus. Get a new operating system.

Re:OMG (1)

BrokenHalo (565198) | more than 9 years ago | (#10140365)

Indeed. Running Win98 is just asking for trouble.

OK, I realise not everybody is savvy enough to set up, or want to set up, any kind of *nix alternative (Macs included) but if he wishes to pursue proprietary solutions, he should at least consider more recent offerings from MS than excreta from six years ago.

maybe... (4, Informative)

johnjones (14274) | more than 9 years ago | (#10137259)

ok if you run windows you need a virus checker

are you a home user ?
if so

http://free.grisoft.com/freeweb.php/doc/2/ [grisoft.com]

and get avg for free
Now you need a firewall

http://www.free-firewall.org/ [free-firewall.org]

then I would advice get rid of spyware with spybot
donate something to the project if you like it...

http://www.safer-networking.org/en/download/ [safer-networking.org]


regards

John Jones

Re:maybe... (1)

‹berhund (27591) | more than 9 years ago | (#10137517)

I'll second the motion for AVG anti-virus.

Re:maybe... (0)

Anonymous Coward | more than 9 years ago | (#10137737)

All in favor...

maybe not. (3, Informative)

gl4ss (559668) | more than 9 years ago | (#10137261)

but if you're running a win98 without firewalling/serious tweaking.. ..you're probably owned or at least at risk. though in all fairness they're probably some other spammers who just happen to use your mail add as the sender.

go with FREE solutions, they exist.

http://www.free-av.com/ free virus scanning [free-av.com]

http://www.free-firewall.org/ some free firewalling [free-firewall.org]

Re:maybe not. (2, Insightful)

mbourgon (186257) | more than 9 years ago | (#10139526)

Why is he owned if he uses 98? My impression has been that 98 is _safer_ - WinNT/2k/XP all have all these fun services that can be exploited, where 98 doesn't. Granted, if you run IE or the like all bets are off.

Or is there something I'm missing?

Re:maybe not. (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10140219)

Definitely something you're missing. Wanna try paying attentiont to the world around you?

Another stupid ask slashdot (-1, Flamebait)

Sandman1971 (516283) | more than 9 years ago | (#10137268)

AAnother stupid ask slashdot that easilly answered by a simple google search. Searching for free antivirus software windows [google.ca] brings up many choices, the first being AVG, one of the best antivirus around. How lazy do you have to be not to search google? People like this don't deserve to use the net.

Re:Another stupid ask slashdot (5, Insightful)

feidaykin (158035) | more than 9 years ago | (#10137311)

Elitist attitudes like this are always amusing to me... Requests for this guy to search google don't answer his question... He wants to know what we, a group of tech savvy folk, recommend. It's harder for google to answer that directly than a simple ask slashdot. To all the moaners out there, stop reading Ask Slashdot or just stop reading the site alltogether. Questions like these are how people learn, and serve as starting point for disscusion here.

We should never insult folks for asking "stupid" questions, but rather admire the courage it took to ask.

Re:Another stupid ask slashdot (0)

RealityMogul (663835) | more than 9 years ago | (#10137403)

Courage? It's posted from ReallyCurious, who doesn't have an e-mail address apparently, and who doesn't seem to have a Slashdot account. It's not exactly courageous to post a message anonymously.

Aside from that, this discussion topic is really lame for Slashdot. This is a board, for techies, am I right? What's wrong with assuming that a member of this site should be capable of finding such simple answers somewhere else. Is this site going to become News for Nerds, Free Tech Support for everyone else?

Re:Another stupid ask slashdot (1)

marktwen0 (650117) | more than 9 years ago | (#10137681)

Whatever...I found the topic interesting, and the replies gave me useful information that I'll use to secure my gf's (and my) machines. Sorry if all regular slashdot readers aren't Uber-geeky enough to pass the coolness criterium. ;-) BTW, don't be put off by my high /. UID--I lost my first PW along the way, and don't know how to fix it. Oh, do you remember when Linux was still on comp.os.minix? I do.

Re:Another stupid ask slashdot (1)

RealityMogul (663835) | more than 9 years ago | (#10138323)

I don't know when Linux was on comp.os.minix, so I can't very well tell you if I remember that time frame. Maybe it was back in the good ol' days when I was running my own BBS! BTW, geek pissing contests are always lame, but I win =P

Re:Another stupid ask slashdot (1)

IvoryRing (1708) | more than 9 years ago | (#10140701)

As in the world of trucks (there is always someone with a bigger one), on Slashdot there is always someone with a lower ID, and amung geeks there is always someone older that was running flight simulations on a slide rule. Wait... is that what you ment by geek pissing contests or were you talking about golden showers?

Re:Another stupid ask slashdot (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10137825)

> This is a board, for techies
> a member of this site should be capable of finding ... answers somewhere else

Hey Dickless, I am a biology nerd. I can whip up a nice gene therapy cocktail that will make your penis glow in the dark. But until reading this thread I didn't have a clue about how to secure my old Windows machine against viruses.
So get off your high-horse, get over yourself, and start playing nice or nobody will want to play with you.

Re:Another stupid ask slashdot (1)

hoggoth (414195) | more than 9 years ago | (#10138066)

> gene therapy cocktail that will make your penis glow in the dark

Ummmm, where can I get some of that? I think it would impress the ladies.

Re:Another stupid ask slashdot (1)

KingPrad (518495) | more than 9 years ago | (#10138238)

I agree. This one is an okay question. However that question from the guy who couldn't figure out how to block the light from an LED was outrageously stupid. A good proportion of these Ask Slashdot questions are rather dumb, so I can sympathize with this guy's response.

Re:Another stupid ask slashdot (1)

Blakey Rat (99501) | more than 9 years ago | (#10140041)

There's a difference between:

"Are there any free virus scanners?"

And:

"Which free virus scanners do you recommend?"

If this guy had spent even 5 seconds on Google, he'd KNOW there are free virus scanners for Windows all over the place. The first entire page of results for "free virus scanner" are all free virus scanners for Windows.

This guy just didn't put in any effort at all.

For the record, I recommend AVG Antivirus and Sygate Personal Firewall. ZoneAlarm might look pretty, but it's hard to configure and has some incompatibilities.

We get the same thing all the time... (2, Interesting)

Anti_Climax (447121) | more than 9 years ago | (#10137301)

We get bounces to the support address at the company I work at all the time. Someone has decided to use our support address as the 'from:' address in their crappy spam. Anytime they send it to a non-existant address, we get the bounce. Our system is updated and locked down, so they aren't coming from us, but YMMV.

Either way, I'd suggest running that address through a spam block of some kind to filter out the crud or just give it up entirely if you can.

Yes (2, Informative)

noselasd (594905) | more than 9 years ago | (#10137310)

antivir [free-av.com] seems to work ok,
and is updated afaik.
Spyware removal software [lavasoft.com] is obligatory on windwos as well.

Re:Yes (1)

Oncogene (708031) | more than 9 years ago | (#10137330)

Shoot, you just beat me to it. Curses! Foiled again!

Antivir has saved my computer in the past, and I would have no problems relying on it in the future. They update about as often as Symantec releases updates, which is impressive (and consoling).

I don't get it.... (5, Insightful)

Apreche (239272) | more than 9 years ago | (#10137331)

OK. I'm a dual booting guy. Obviously my linux, which I use mostly, has no problems. However, my windows install also has no problems. I only got a virus once ever because after a clean XP install a worm got to me before I got to windowsupdate.

The point is that you do NOT need anti-virus software. Anti-virus anti-spyware software should be used only to cleanup already busted systems. Your system cannot be infected if you take proper care to prevent it. Even if you are running windows on a cable modem all day.

1) NEVER download an e-mail attachment.
2) Use Firefox instead of IE.
3) Use Thunderbird instead of Outlook
4) Do NOT visit untrustworthy websites
5) Do NOT download any software from the internet and install it. Even if it looks trusty from tucows or download.com do a google search to see if it it spyware first.
6) Have a firewall like zone alarm or sygate, or better have another computer between you and the net with a firewall on it. Or have a hardware firewall. Proper network level security keeps the worms out almost guaranteed.
7) If you have wireless lock it down. You don't want a drive by person to start sending spam out your pipe.
8) DO get all the windows updates that are security fixes. The ones that aren't security fixes you can choose to get or not get at your own discretion.

If you do those things then there is almost no way you can get hit. It's really that simple. And if you DO get hit, its usually easier to re-install due to the degrading nature of windows. Any windows install, even a clean one, falls apart over time. The registry fills with more and more junk. Improperly uninstalled apps leave files behind here and there. Hidden variables change and are not changed back. Even the cleanest installs seem to last at most 18 to 24 months except in very controlled business environments.

Dont pay for anti-virus software, its a ripoff. Just re-install and then take proper preventative measures so it doesn't happen again.

Re:I don't get it.... (1)

obeythefist (719316) | more than 9 years ago | (#10137587)

If I might amend that a little because they are all good points but missing something:

0) Do not run Windows 98. This is the year 2004. 1998 was released 6 years ago. Microsoft have released three (3!) major desktop operating system revisions since then. If you thought MS was bad for security now, try and remember what they were like 6 years ago!

If you won't pay for Windows XP, I am certain that you can get a free operating system that will do all the things you can do with your Windows 98 install. You've managed to make it to "Ask Slashdot" once, I am sure someone here knows of some kind of free OS you can use.

There are some benefits to A/V software, especially because the system is a laptop and therefore may plug directly into a foreign network and therefore be exposed to all manner of nasties. As mentioned many times before, AVG is free, not a ripoff, and very good quality software.

Re:I don't get it.... (5, Insightful)

R2.0 (532027) | more than 9 years ago | (#10138127)

"Microsoft have released three (3!) major desktop operating system revisions since then"

Windows ME: Oh, it was major, alright - a major failure. The "Upgrade" path at the time was to revert Back to 98SE.

Windows 2000: Remember, this was marketed as "not for home use". That was what ME was for. 2000 wouldn't support many legacy apps.

So there has really only been 1 major desktop OS revision that is relevant, and given XP's poor rep, there are plenty of reasons not to upgrade.

Also, the comparison between then and now isn't valid. A large number of the exploits now target services in 2000 & XP that 98 doesn't have.

98 certainly isn't state of the art, but I don't know that I'd call 2000 or XP that either. Your most compelling argument seems to be "98 is OLD!!"

BFD.

Hint for installing Windows XP... (1)

Ayanami Rei (621112) | more than 9 years ago | (#10138044)

This is really important for those of you who do a clean install of XP and don't want to get 0wn3d in the process:

0) Prerequisites: XP Professional w/Corporate Volume License (you can actually derive this from an XP Home CD, a text editor and a CD Burner, exactly how this is done is left as an excercise for the reader)
1) Install XP disconnected from the Internet. Use the CVL key to bypass the need to register XP on the internet.
--- Alternatively, you can just do a phone registration without a standard retail XP... they're avaiable like 24-7.
2) When you get to the point where they talk about network settings, make sure to go enable the Internet Connection Firewall on any adapters you have.
3) Finish the installation, reboot.
4) Double check in Network Connections that your adapters have that little lock on them.
5) Put computer back on network/Connect to internet
6) Run windows update.
7) Reboot (if required)
8) Return to step 6 (if required)
9) Only at this point would you consider removing the ICF. But you don't have to unless you need to, or you get a better, 3rd party firewall to take it's place.

Or just install XP Service Pack 2 slipstreamed. This will have ICF enabled by default (as it should be).

Almost right (2, Interesting)

Mycroft_514 (701676) | more than 9 years ago | (#10138529)

Except for the part about degradation of the registry. Look, I've got systems that are running Win 98SE and even 2 still running Win 95.

One of the Win 95 machines has been running for 7 YEARS without having to reload the OS. I have swapped hardware in and out, and changed drivers. The last time the OS was changed was when I put the 6 Gig drive in (1997) and I needed to upgrade from Win 95 ver B to ver C (B didn't support drives that big).

One of the Win 98 machines is now 4 years old, with no reloads, the other is only about 18 months old.

I run them all now on a router with a hardware firewall. The 95 machine is hardwired, the 98's are Wi-fi. Cable modem coming out the other end. There is NO anti-virus software installed, though adaware still runs on them every so often. I did install all the patches from MS.

Oh, and one more item of security for your Wi-fi system. Put passwords on your disk drives. You can teach all the other machines in your network to remember the passwords, but joe drive by can not access the drives if he breaks thru the first layer of security. Like anything else, he will go somewhere else where it is easier to get thru.

Re:I don't get it.... (2, Interesting)

Godeke (32895) | more than 9 years ago | (#10139168)

Insufficient. If you hook Windows directly up to broadband to get WindowsUpdate running, you have a good chance of being infected before you are patched. Software firewalls don't block everything, so Step 6 is insufficient, unless you have a machine proxying, NATting firewall or a true firewall. Even then you put a vulnerable machine on your local network, which may have unpleasant surprises in store for you.

A better option is for step 8 becomes: get all windows updates and security fixes ON CD, because otherwise you expose your machine prior lockdown. Likewise, turn off unneeded services (you don't need to be sharing files and printers, why the heck would you leave the SMB server running?) prior to connecting to a network.

Yet, even with all that you end up with the problem of vulnerabilities that are not patched prior to the exploit being generally available. Yes, using alternate programs and avoiding untrustworthy websties sounds good, until you make a typo and end up at an untrustworthy site by accident. (Or shall we decree the typo a death penalty offense). I recently saw a typo site trying to exploit the Firefox 1.9.2 vulnerability to install adware (which didn't work since I was on Linux as I am right now, but they tried...)

In the end, perhaps having a virus scanner in memory to detect things that get through all your other work might be wise. Otherwise that high and mighty "almost no way you can get hit" will bite you back when the almost part comes true and you don't even know it happened. Remember: security is about defense in depth and a big ego provides little depth.

I personally don't care for anti-virus software (it is a little late in the cycle for my taste), but to avoid using it on the corporate networks I care for would be gross negligence on my part, opening me up to potential legal liability. Suddenly $22 a machine a year looks pretty good, even as I take all the other steps to avoid needing it in the first place.

Just some clarification (1)

Gary Destruction (683101) | more than 9 years ago | (#10139569)

NEVER download an email attachment.
Then how are you supposed to open it? People do send legitimate attachments.

Do NOT visit untrustworthy sites
What exactly is a trustworthy site these days? Javascript and even HTML have been used to download malicious code. Even well known and respected sites have been affected.

Proper network level security keeps the worms out almost guaranteed.
Worms yes, because they infect networks. But viruses and trojan horses infect machines.

-Do beware of emails with single word subjects from people that you do not know.
-Do beware of emails with double file extensions on their attachments i.e. .doc.pif
-Do beware of malicious code that can spread via filesharing, instant messenging and IRC.
-Turn off unnecessary services
-Run as a restricted user if possible if you are using NT or a variant of NT such as Windows 2000 or XP.
-A virus scanner is still recommended because it's better to be safe than sorry

Re:I don't get it.... (1)

Solder Fumes (797270) | more than 9 years ago | (#10139917)

Unfortunately Firefox isn't the cure-all for avoiding web viruses. I haven't had a virus on a machine for years, but just last week a site somehow opened Internet Explorer from Firefox and thus installed some dialers and crap.

Re:I don't get it.... (1)

IvoryRing (1708) | more than 9 years ago | (#10140510)

While I agree that carefull, aware, regularly updated wetware can avoid most of the bad problems, I have to take issue with a few of your points (understand this isn't to nitpick just to nitpick, but to point out that absolutes like this aren't realistic):

1) While you may be happy using email strictly as a n ASCII text communications method, many people are not. Specifically, for Average NonTechie Joe to Average Techie Joe, an email attachment is simply the easiest way to get a file from A to B anywhere further than across the office. While it is true that 'never download an email attachment' can be useful as a method of blocking certain infection vectors, the fact is that for many people, this is equivalent to 'fundamentally break email'.

2) While I agree that almost anything would be better than IE, if you really want to go whole hog and avoid the chance of infection, don't you think lynx is better than Firefox? Seriously, I'd phrase this bit simply as 'anything other than IE is better than IE from the standpoint of avoiding infections'.

3) There are many MUAs, and the situation is similar to above - nearly anything is better then Outlook/OutlookExpress. Ideally using an MUA that has no scripting available anywhere as an option would be even better - note that from an infection standpoint, I'd say Pine may be a better choice thank Thunderbird for this reason.

4) Aside from a website that I've created, and the website for my OS vendor (they already own me anyway) and my browser vendor (they already own me anyway), how do I determine that a site is untrustworthy (or the reverse - trustworthy, hence safe to visit) BEFORE I visit it? Honest answer: you can't.

5) So I'll be ordering the Foxfire/Thunderbird/Mozilla CD online using what? IE? And of course I'll never download anything from windowsupdate.microsoft.com. I'm sure you don't mean that only Tucows and download.com can have suspect software, right?

6) And in order to compare zone alarm and sygate I'll buy both via phone or BestBuy and test them out and then just throw away the one I don't use. I've really got to take exception to your last bit on this item - the concept that network level security will keep you safe from infection (NOT what you stated, but what Average NonTech Joe could easily infer from what you did state), is exactly the kind of attitude I have to fight nearly every week at work. Proper network level security does indeed close ONE of many possible vectors for infection. Unfortunately when you say 'guaranteed' some non-trivial portion of the non-techs out there are going to think 'Ok, I can relax now and do whatever I want'. Realistically, for the Average NonTech Joe, I'd just go with the hardware firewall/router/accesscontrol/etc [almost none of them are technically firewalls, even though many of us use that term].

7) Easier said than done. While this is certainly critical to do, and when done right can be transparent, the last time I did this for someone (6 months ago) it was decidedly in the category of 'easy if you know how, but way too easy for a non-tech to break everything during the process'.

8) Aside from the contradiction with #5 (unless you really think a MSDN subscription is appropriate for home users, or that home users are really going to order patches on CD from MS), there can be landmines here (recentish examples: EULA changes, new vectors opened up by the use of newer versions of Windows Media Player, patches that break your system -- not rampant problems, but they do crop up from time to time) . At some level, for the Average NonTech Joe, the simplest practical approach is to just install everything from windowsupdate and cross your fingers that you don't get burned. There isn't a trivial way to know when it is safe to install windowsupdate patches and when it isn't; and mostly the security patches do more good than harm. The hard part is that not everything that says 'Security Patch' really is limited to just that, and not everything that doesn't say 'Security Patch' will be security neutral.

The point of all this? Mainly that there aren't really 5 (8, 12, whatever) simple rules that can keep you safe. There are complex rules that can keep you safe if you understand the implications and are willing to work with the tradeoffs that they imply.

Also, by the by, I agree with your assesment that 1.5-2 yrs between 'clean wipe and fresh install' is a fair guideline.

Is AV software a ripoff? No. I think it is a tool which may or may not live up to someone's expectations, but often can serve a valuable role. Is AV software required to keep from getting infected? No. Will having AV software generally reduce your risk of getting infected if you can't/won't ALWAYS make the 'sanitary' choices? Yep. For some people, through ignorance of exactly the right steps, through lack of 100% diligence, through a genuine need to do actions that might be somewhat risky, the cost of an AV subscription at $30-45/yr is a small price to pay for the real benefit they get.

It's somewhat like saying "umbrellas are a ripoff because I will air dry when I get wet". That might be true for you, but there are plenty of people that feel that owning an umbrella (or several even) is worthwhile.

Free virus software is out there. (2, Informative)

ScepticOne (576266) | more than 9 years ago | (#10137347)

http://www.clamwin.net/ [clamwin.net] is an allegedly good antivirus program.

Also, http://www.spybot.info/ [spybot.info] has been alleged to be a good antispyware program.

Most likely a 'Joe-Job'...Ask your ISP about SPF (5, Informative)

rthille (8526) | more than 9 years ago | (#10137366)

Since the SMTP protocol doesn't have any authentication of the sender (except within an ISP/Domain with SMTP-AUTH), it's easy for a spammer/virus to send mail pretending to be you. That's called a 'joe-job' after one of the early occurrences of it.
A recently proposed solution (though not without it's problems) is SPF (Sender Policy Framework) http://spf.pobox.com/ [pobox.com] where a domain owner can publish the list of servers which are authorized to send mail as being from a user of their domain.
Until it's widely deployed, not just on the publishing side, but on the checking side, it won't be real useful. However it's nearly trivial for the DNS owner to publish the records and since big ISPs like AOL and Yahoo are starting to check them it does protect you from being Joe-Jobbed to a large number of mailboxes.

"Friends" (1)

mwvdlee (775178) | more than 9 years ago | (#10137380)

Most likely it just means you have a lot of dumb friends.

To simplify; their systems get infected or hijacked and your e-mail address appears in their addressbooks so the trojan/virus abuses your email address.

Amazing nobody has mentioned it (1)

WSSA (27914) | more than 9 years ago | (#10137383)

These authentic looking bounce messages have attachments that you're going to open, right? Don't do it! That's the payload that delivers the trojan/worm.

Question: Am I a spam zombie (1, Insightful)

PhysicsGenius (565228) | more than 9 years ago | (#10137388)

Answer: You are running Windows98 unprotected.

So...duh.

AVG (1)

kyhwana (18093) | more than 9 years ago | (#10137411)

AVG [grisoft.com] works pretty well, i've found. I used it on all the machines that came in when I used to work at a computer shop and it caught pretty much all of them.

I run it on my windows systems at home, too.
So consider this as another vote for AVG. :)

You should probably also consider a firewall, there are couple of free ones out there, including Zone Alarm and so on.

Housecall (2, Interesting)

jgaynor (205453) | more than 9 years ago | (#10137595)

Bah. Im suprised no one has mentioned housecall yet:

http://housecall.antivirus.com [antivirus.com]

Housecall is a web-based virus scanner that, since it is loaded anew every time, always has the latest virus definitions. Since it installs nothing but temporary cache files, you dont have to worry about it slowing down your machine.

Because of the nature of the application it can't always clean the offending virii/malware, but it will at least alert you to their presence and give you their names so that you can manually remove them. When combined with stinger [nai.com] , spybot [safer-networking.org] and google [google.com] it's an excellent choice for on-site calls to machines without AV or for your old boxen that just cant afford the extra cycles for full-time AV bloat.

If you prefer to do the offline thing, try the Knoppix anti-virus distribution [oreillynet.com] (weak link I know). Once again it isn't a permanently installed application and since the OS isn't running it can slap down bugs before they're loaded into memory.

Cheers!

Re:Housecall (2, Interesting)

Anonymous Coward | more than 9 years ago | (#10137884)

(Posting AC so I don't undo my mods)

I've used housecall a few times to scan some machines. I works pretty well, and since it's web based you don't have to install anything. The downside is that it's for IE only so it may not be an option for some (hopefully many).

For offline scanning, I'll repeat the numerous recommendations for Grisoft's AVG free scanner
http://www.grisoft.com/us/us_index.php
A fter testing it on a few machines, were planning to purchase the server edition to scan all incoming email before it even hits the inbox.

With apologies for /.-ing them (1)

dpilot (134227) | more than 9 years ago | (#10137955)

Most of the posts haven't really been answering the question. Most of the posts have been helpful advice about how to stop being a spam-zombie, but haven't been answering whether or not he currently is one.

With apologies, because the connection I just made to them was a bit slow, there are:
http://openrbl.org/
http://moensted.dk/spam /
http://www.dnsstuff.com/tools/ip4r.ch

Unfortunately my domain is in there, because it really refers to my ISP-assigned IP, and their whole block is listed.

A good firewall is as important as antivirus (1)

ahrenritter (187622) | more than 9 years ago | (#10138586)

Everyone else already said you most likely aren't infected, but if your machine is totally unsecured, the first thing I'd recommend is getting a good software firewall installed and running. There are many different products out there with prices varying from free to darn expensive. I'll let someone else link to them for Karma. :)
If you practice reasonably safe internet usage (e.g. not opening attachments you aren't expecting, not visiting websites from random links, not visiting shady websites) then your chances of catching a worm or virus drop to a comfortably low percentage if you have a solid firewall blocking all unnecessary incoming and outgoing traffic.

From there you can find a reasonable free antivirus that you can run once a week or use it to examine any attachments that you do feel you need to open.

Look at the Received-From headers (1)

kalidasa (577403) | more than 9 years ago | (#10139033)

If the originating ip address matches your ISP, there's a good chance, though as others here have said, most of the time, these bounces are from spam that uses one address from its mailing list for the "TO" header and another for the "FROM" header.

NEVER run Windows without solid anti-virus. If something on your machine is interfering with the anti-virus, fix your machine until anti-virus runs. If your anti-virus interferes with something else, don't run that something else. Seriously. It's that dangerous. Being used for spamming is the least of your potential problems.

You are being irresponsible (2, Informative)

Bob Cat - NYMPHS (313647) | more than 9 years ago | (#10139297)

You are doing nothing to stop your PC from being abused because you can't find free as in beer software?

Adaware SE Personal www.lavasoft.de
Zone Alarm Firewall www.zonelabs.com
F-Prot Antivirus www.f-prot.com

All commercial products free for personal use.

Now, install those and stop the spammers, please.
Keep your definitions updated, okay?

Not necessarily (1)

BadluckShleprock (654660) | more than 9 years ago | (#10139381)

Some trojans use the zombie's address book as a source for spoofed names. For example, let's say you e-mail George W. Bush a lot and president@whitehouse.gov is in your address book. You pick up a trojan somehow and it will find that address and use it as the "From" address when sending out the spam/virus. Bounce messages will go to president@whitehouse.gov.

Are you feeling zombified?

McAfee VirusScan 8.0 free or nearly free (1)

lingorob (563531) | more than 9 years ago | (#10139617)

Right now Amazon, OfficeMax, CompUsa, Staples, Circuit City, and TigerDirect all have this commercial product for free or almost free. This is not uncommon. I actually just got a free upgrade to Norton from Outpost last week. I haven't tried the Grisoft free stuff.

Cheap anti-virus software (0)

Anonymous Coward | more than 9 years ago | (#10139769)

A good way to get cheap anti-virus software is to buy LAST YEAR'S version from eBay. I recently bought Norton Systemworks 2003 (which includes Norton Antivirus) from eBay for $10 (including shipping). It was the real deal, not some pirated or used version. The software comes with one year of free virus updates. Since virus updates cost more than $10 per year, I think I'll just buy the 2004 version next year to get another year of free updates. Make sure you buy from a reputable dealer since there are a lot of pirated copies floating around, and who knows if they haven't been pre-infected before you buy!

If you don't have or use a firewall already, you need one for sure. The one built into WinXP SP2 is decent. You should also be running anti-spyware software like Spybot and Ad-Aware. Also turn on automatic updates so you will always have the lastest OS patches. And switching to Mozilla instead of using IE is a great idea for security.

The five pillars of Windows PC security (for home users) are firewall, antivirus, removing spyware, automatic updates, and Mozilla. Do those five things, and your computer is likely to be very secure. Or at least someone else's computer will be a more appealing target!

If you find your computer is infected with many pieces of spyware and viruses, you may be better off just formatting your drive and reinstalling everything. Sometimes it's the only way to get all that junk off there.

No anti-virus software? Then stay off the net! (2, Insightful)

fmaxwell (249001) | more than 9 years ago | (#10140211)

I run a Windows 98 laptop, sometimes wirelessly connected to broadband (a few hours a day, on average), but I had to remove my virus software years ago because it was locking my system up, so I'm wide open. I've tried to be a good citizen and have been shopping for new virus software, but prices are running $40-$70, and most of these are just for upgrades (not even counting the mandatory 'subscriptions')!

If you have a Windows 98 machine with no anti-virus software, then stay off of the Internet. Period. You have no right to endanger and inconvenience others just because you're too cheap/poor to buy anti-virus software and too computer-illiterate to type "free antivirus software" into Google (hint).

It reminds me of someone with 20/200 vision operating a car without glasses because glasses cost too much. "Oops! Sorry about your poodle! Didn't mean to run over your kid; sorry. Uh oh, hit another parked car."

Not necessarily (3, Informative)

renehollan (138013) | more than 9 years ago | (#10140307)

While running Win98 naked is about as wise as, well, running naked, this may not be the source of those bounce messages. IOW, by themselves they do not indicate that your box is a spam zombie.

I get boatloads of these things, as well as spam (filtering is your friend) -- my email address is fairly public and in a lot of address books. I'm not about to abandon it as it's within a domain I lease.

I run behind a fairly hardened firewall, and am moving towared a Linux iptables-based firewall/router/home server.

What ticks me off is when such a message bounce indicates that the original message contained a virus. How dare someone accuse me of sending a virus just because their mail daemon received a spoofed From: header? They could at least check the route the mail took against that header to get an idea if it's bogus. But, often automatic smam/virus filters are pretty stupid and trust the From: address. Still, I wonder if someone, somewhere, "out there" is blacklisting me because someone else forged my identity. Sounds like a defamation suit if I could find the bastards.

And that's the rub. Often when I've received such bounces, when the originator can be identified, they refuse to help in providing a copy of the original email, headers intact, that might permit tracking down the source: either a spammer, or a spam-zombie. I wonder if I could sucessfully file "theft of computer services" charges against such an organization: they're sending me unsolicited bounces, and furthermore, refusing to backup the allegation that they're bouncing messages from me. I wonder if the anti-spam legislation that's out there can be used as a club against those who send bounces to spoofed From: addresses and refuse to acknowledge or correct their mistake.

here's a list (1)

rakerman (409507) | more than 9 years ago | (#10140341)

Windows Security Software [akerman.ca]

I've used AVG. Some people prefer AntiVir.

Housecall (1)

EnglishTim (9662) | more than 9 years ago | (#10140392)

I've never found virus programs to be worth it - if a new worm comes out, they are rarely quick enough to update and in the meantime they always seem to really slow down your computer.

Instead, I run a web-based anitvirus program (http://housecall.antivirus.com/ [antivirus.com] ) about once a month.

Obviously I also take other precautions - only connect to the internet via a NAT router, never open email attachments, etcetera but Housecall is good, and it's free.

Free anti-virus software (up to 1 year trial) (1)

waynegoode (758645) | more than 9 years ago | (#10140405)

As part of Windows XP SP2, Microsoft is offering free trails [microsoft.com] of various anti-virus products: Norton, McAfee, CA, etc. You don't have to upgrade to XP SP2 to qualify.

This was mentioned on /. a while back, but /. search is down and I couldn't find it quickly on Google.

AVG free (1)

chivo243 (808298) | more than 9 years ago | (#10140421)

Try AVG free virus software. much more light weight that macafee or norton....good luck

Re:AVG free (1)

Synic (14430) | more than 9 years ago | (#10141439)

AVG is okay, but I prefer Avast! (and it integrates with several IM and P2P programs).

A great free solution for you. (1)

Mordant (138460) | more than 9 years ago | (#10140824)

Try this [linux.org] .

Heh (1, Informative)

itwerx (165526) | more than 9 years ago | (#10141649)

If you're running Windows 98 with no antivirus and you're posting a question like this on Ask Slashdot, then yes, you are a spam zombie...

(Okay, mod me flamebait now, it was worth it! :)

Spoof. (1)

Raven42rac (448205) | more than 9 years ago | (#10141888)

Spoofage, I get these all the time, just look at the headers. NEXT!

Just stoppit! (1)

rawg (23000) | more than 9 years ago | (#10142587)


Stop Using Microsoft Products!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>