Sophos on Wednesday launched the alert service, dubbed ZombieAlert, that warns business, educational, and government administrators when some of the machines on their networks turn into the walking dead. So-called "zombies" account for more than half the world's spam, said Sophos.
Tracking down zombies, however, isn't easy.
Rather than monitoring systems internally for evidence of spam zombies, Sophos analyzes the millions of messages passing through its spam traps -- sometimes called "honeypots" -- traces such spam to its originating domain and IP address, then notifies customers when one of their machines is found sending spam.
"Once we get spam, we identity who it's from -- down to the machine within a company -- contact the administrator directly and point him to where the spam's coming from," said Gregg Mastoras, a senior security analyst at Sophos.
ZombieAlert, said Mastoras, is a more flexible and less intrusive way to spot anomalous behavior than traditional traffic monitoring. "Zombie traffic isn't always consistent. It will come on for a day or two, then go away, only to come back later. And many zombie controllers purposefully run a small number of messages through each zombie, hoping to escape detection."
ZombieAlert, however, will notify an administrator at the first instance of a detected spam message coming from a network.
One beta test site, the University of Houston, called the service "a very nice add-on" to existing security defenses.
"Our traffic monitoring would catch the really bad cases," said Alan Pfeiffer-Traum, the university's enterprise system administrator. "But not the typical zombie. So we depended mostly on complaints. But this way I can say we detected the abuse through our own efforts."
Within the first two weeks of using the service, Pfeiffer-Traum was alerted to a half-dozen zombie cases, most of them involving one or two PCs each, almost all of them student systems in the university's residence halls.
"One way to tackle the problem [of spam zombies] might be to restrict outbound SMTP traffic, but that's really impossible in our situation. For the students on campus, the dorm is like their home, and they look to us as their ISP. This really fits into our process."
After he receives an alert, said Pfeiffer-Traum, he notifies support staff, who immediately disable the offending machine(s) ability to send mail. Later, a tech support representative makes a house call and cleans the PC of the malicious code that made it a zombie in the first place.
ZombieAlert, which is rolling out first in North America and Australia -- later in Europe and Asia -- can be added to existing Sophos services, or purchased separately. A ball-park price, said Mastoras, is approximately $15,000 annually.