A problem in McAfee’s Saas Endpoint Protection software that allows computers to serve as open proxies for spam is being investigated by the company according to a recent statement from a McAfee representative. A statement from the rep says, “We are aware of the issues and have both threat analytics and development teams diligently analyzing the problem and possible solutions. We will have more information on the issue shortly.”
A PR representative from the company said that she was trying to acquire more details on the situation, though was unable to disclose any further information after that. The initial problem was discovered by customers of McAfee on the internet who complained that their emails were being blocked by different email providers and also that their IP addresses were being blacklisted for sending out spam.
The problem appears to stem from the RumorServer Service myAgtSvc.exe, McAfee Peer Distribution Service, which is a part of the company’s SaaS Endpoint Protection Suite. The technology, which is used for sending updates to users without a direct internet connection, operates as an Open Proxy on Port 6515, which essentially opens the computer up to being used as a spam headquarters.
One victim to the attack was the Kramer Blog, who first detected the problem in early January when email was returned undelivered with a message stating, “Our system has detected an unusual rate of unsolicited mail originating from your IP address.”
According to the Kramer Blog, “Our Windows 2008 server was one of the computers affected. We first realized there was a problem on the 4th January 2012 when an email was returned undelivered with the message: ‘Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked.’ On checking through our mail logs, we also noticed that an earlier email sent 2nd January 2012 had been delayed with a message saying our IP was on the spamhous/cbl list as being infected with a trojan spambot.”
McAfee is currently in the process of developing and improving a patch that will allow these spam messages to not be responded to from port 6515. In addition to that, the patch will also be posted through updates throughout the week and will show up as 5.2.3 patch 4.
Source: ZDNet – McAfee software allows spam for hijacked PCs