HomeFAQStatisticsVariousContact

Security : Windows : spamMonitor

spamMonitor is a small program to detect if your computer is sending spams, in case of a virus/rootkit infection. It displays an alert each time an outgoing SMTP connection is established from your PC and gives you all details about such a connection (program, PID, remote IP...).
Entirely written in assembly language, it is fast, small (only 20 Kb) and requires very little system resources. It is free, distributed under the Gnu GPL and its source code is available for download.


Latest version : v0.20 (10-09-2008)



Setup :

spamMonitor needs only one file to run : spammon.exe
You can install it wherever you want. Unlike most Windows applications, it does not mess with your system, it doesn't modify the registry, it will not add yet-one-more-icon on your desktop and you don't even need to reboot after setup ! When running it only creates a log file located in c:\spammon.log, where all outgoing SMTP connections will be logged.

Uninstall :

To uninstall it, just delete spammon.exe and its logfile.

Running it :

When you run it, spamMonitor will display a smal dialogbox in the lower right corner of the screen :




Click [OK] to minimise it to the systray (notification area). Its icon shows that it is active and running in the background, monitoring all outgoing connections :

If you want to restore the dialogbox, click on its icon and select [Open] :




Important : after running it for the first time, it is a good idea to test it : simply use your favorite email software to send an email.


Detections and alerts :

When spamMonitor detects an outgoing SMTP* connections, its dialogbox pops up and it plays an alert sound :

It displays in the top listbox all active outgoing SMTP* connections and in the lower one all closed connections.
In the active connections listbox, it displays the name of the application, the remote IP address and the connection state. In the closed connections listbox, it displays also the time the connection was established (or detected).

*SMTP (Simple Mail Transfer Protocol) is the protocol used to send an email by connecting to the port 25 of a remote server.


Log file :

For each alert/detection, all informations are also logged to a file : c:\spammon.log. You can read it by clicking on [View] at anytime :

The log file includes all informations described above, as well as the program PID. It is the Process ID that you can also find using Windows TaskManager (taskmgr.exe) and that can be useful to locate some nasty apps/virus/rootkit trying to hide themselves using random generated names etc.
Note that each time you start spamMonitor, it will erase the previous log file if there is one.




Killing a suspicious program :

[Kill !] allows you to immediately stop a program that is listed in the "Active STMP connections" window.
If you suspect a malicious sofware to send spams, select it in the list and click the button :

Warning : as the name says, the [Kill !] option doesn't leave any chance to the selected program, so think twice before using it !

spamMonitor will inform you if it has successfully killed the program :




Various options :

The checkbox in the lower left corner let you deactive the buit-in alert and replace it with a simple system beep :




Download :

 

  • spamMonitor v0.20 (10-09-2008) : spammon.zip - 23 Ko
    • - Compatibility : Windows XP, XP + SP1, XP + SP2, Vista, Windows 7, Windows Server 2003 & 2008
    - License : GPL

  • Source code : spammon_020_src.zip - 27 Ko- ( view spammon.asm )
    • - Language : Assembler (Tasm32 needed for compilation)