Sophos promises to sniff out zombie systems

Service aims to tell subscribers if their network is home to compromised PCs being used to send spam.

Munir Kotadia Special to CNET News
2 min read
Antivirus specialist Sophos has launched a service that uses spam traps to find unsolicited e-mail messages originating from supposedly "protected" computers.

The ZombieAlert service uses a large amount of "spam traps" that are configured so they are unlikely to receive legitimate messages, Paul Ducklin, head of technology at Sophos Asia-Pacific, said. When the traps receive spam, the originating IP address of the message is looked up, and if it belongs to a ZombieAlert subscriber, Sophos will inform them that one or more of their computers is being used as a spam relay. The service was introduced Wednesday.

"We endeavor to ensure that of the e-mails that enter the spam trap, there is a statistically insignificant amount of real e-mail. Everything coming in is not supposed to be there," Ducklin said.

Ducklin said that the illegitimate e-mails are traced back using their Internet Protocol address: "We have the source IP where it came from, and if that falls into a range owned by a customer on the service, then we can let them know there are illicit e-mails flowing out that they may not have noticed."

James Turner, a security analyst at Frost & Sullivan Australia, welcomed the move, saying Sophos was taking a proactive approach.

"Now when they get a spam, it is not someone else reporting it to them, it is them--they are picking it up themselves," Turner said.

However, Turner pointed out that when a ZombieAlert subscriber is contacted by Sophos about a possible zombie, or compromised PC open to control by a hacker, that subscriber would have little option but to turn the computer off, because the existing security software had not picked up the problem.

People can't do anything about the problem until one of the vendors comes up with a clean-up tool or a definition update, he said. "Subscribers will have to weigh up the machine and the responsibility of the person using it, and then work out what to do--do they make a decision to unplug it (from the network) or not?" Turner said.

Sophos' Ducklin said the initial market for the service will be universities and Internet service providers that have lots of unregulated users.

"The obvious early adopters will be environments like universities and ISPs, who have huge amounts of Internet traffic--diverse populations that are not necessarily centrally regulated," Ducklin said.

Munir Kotadia of ZDNet Australia reported from Sydney.