Ironing Out McAfee Software Woes

Thursday, January 19, 2012 @ 04:01 PM gHale

McAfee is narrowing down its problem with a service in its SaaS Endpoint Protection software that is allowing computers to serve as open proxies for sending spam, company officials said.

“We are aware of the issue and have both threat analytics and development teams diligently analyzing the problem and possible solutions,” the company said in a statement. “We will have more information on the issue shortly.”

McAfee Still Working on SaaS Hole
Linux Kernel Panic Problem Solved
True SLOB: Linux Kernel Cracking
Wireshark Closes Security Holes

McAfee customers first reported the problem on the Web complaining email providers were blocking their emails and their IP addresses ended up blacklisted for sending spam.

The problem appears to be in the RumorServer Service myAgtSvc.exe, McAfee Peer Distribution Service, which is part of McAfee SaaS Endpoint Protection Suite, previously known as Total Protection Service, according to the Kaamar Blog. The technology, used for delivering updates to computers without a direct Internet connection, serves as an Open Proxy on Port 6515, which effectively opens the computer up to spammers to use the computer to send spam to other sites that looks like it is coming from that IP address, the blog post said.

The Kaamar blog first detected a problem January 4 when email returned as undelivered with a message saying “Our system has detected an unusual rate of unsolicited mail originating from your IP address.”

“Our Windows 2008 server was one of the computers affected. We first realized there was a problem on the 4th January 2012 when an email was returned undelivered with the message: ‘Our system has detected an unusual rate of unsolicited mail originating from your IP address. To protect our users from spam, mail sent from your IP address has been blocked,’ the blog post said. “On checking through our mail logs, we also noticed that an earlier email sent 2nd January had been delayed with a message saying our IP was on the spamhaus/cbl list as being infected with a Trojan spambot.”

The Kaamar blog site was able to stop the traffic on January 5 but received a data limit warning from the ISP the site was nearing its monthly limit for traffic in only a few days. The problem, which appeared to start December 31, 2011, caused the site to get the equivalent of 10 months of normal traffic in just one day, according to the post. Meanwhile, IP addresses for the site were on several public blacklists for spamming activity.

Mr.HinkyDink’s UT Blog reported finding nearly 1,900 IP addresses serving as open proxies running the McAfee software since December 1, 2011.

The Kaamar blog has instructions for checking to see if a computer has the problem and how to protect it until McAfee fixes the problem.

A McAfee public spokesperson said “this only affects SaaS, and a patch is forthcoming as soon as it clears testing,” which is expected this week.

Leave a Reply

You must be logged in to post a comment.