Shown enumerating ports and startup programs are the Netstat utility that comes with Windows XP, Autoruns and TCPView from Sysinternals.com, and Port Detective, which are FREE downloads. (Graphic: WWLTV.com)

Ask anyone today who manages a corporate network to name his or her two biggest concerns, and chances are they'll answer "spam" and "security."

You probably know that spam accounts for over 70% percent of all email -- and that it's annoying -- but you might not realize that spam is also a security problem.

Today, malicious code on thousands of innocent PCs is used to take control and send spam.

Programs that do this are called "spambots." They roam the Internet, gathering email addresses and forwarding them to spammers, who promptly use them to send infected email attachments.

Why do so many people open infected email attachments? Because the sender is usually someone listed in your address book. The message may appear to be from your boss, a relative in another part of the country, or from a friend who routinely sends you email.

An email from a friend or co-worker might say something like "I can't open the attached file. Can you?" Once you click on the attachment, the bot starts running on your computer, updating itself or downloading new malware, right under your nose.

Real attacks aren't much more ingenius than that. They don't have to be. All they need to do is get you to open a file or click on a link. Once you do, your PC becomes a drone, just waiting to do the spammer's bidding.

According to one source, less than 15 percent of the hundreds of millions of email messages that traverse the Internet daily actually originate from email servers. The rest are relayed by compromised PCs.

So how do you prevent your PC from becoming a zombie?

First, there's no question that having up-to-date anti-virus and anti-spyware software, combined with an effective personal firewall, is a good start.

Keep in mind, however, that spam involves traffic going out to the Internet from your PC, and some personal firewalls, such as the firewall that comes with Windows XP Service, Pack 2, only monitor and block suspicious incoming traffic. All outgoing traffic is allowed to flow.

Jerry Seregni
Eyewitness Morning News Technology
Analyst

There's more to it than that, however. To know whether your PC has become a spammer's victim, your have to understand what ports are.

Every computer on the Internet has a unique identifier that's somewhat like a social security number. To understand ports, think of this identifier like the street address of an office building.

Each suite of offices in the office building has the same street address, but one suite may be an insurance business while another is a law office.

Clients of the law firm and customers of the insurance agency may go to the same street address, but once they're in the building, their destinations are very different.

Your computer works the same way. It may have one Internet address, but different ports listen for different services.

Port 80, for example, listens for requests from web browsers, while Port 21 listens for file transfer requests. Incoming traffic is first directed to the computer's Internet address, then it goes to the appropriate port.

To keep a rogue processes from operating from your PC, you -- or your firewall -- needs to monitor incoming and outgoing traffic. Only traffic originating from a legitimate program should be allowed to access the Internet.

It sounds simple, but developers of malicious code are very resourceful. That's why it's a good idea to learn how to use tools, called "port enumerators," to check what's going on behind the scenes.

For example, Windows XP provides the Netstat.exe command line utility to identify active TCP/IP ports. Executing the command "Netstat -ano" at a command prompt and comparing the results with Windows Task Manager can provide a wealth of information. Neither utility, however, is particularly user friendly.

Foundstone.com offers a more robust version of NETSTAT, called FPORT, but it must also be executed at a command prompt.

For most users, a better alternative is to visit Sysinternals.com and download TCPVIEW and AUTORUNS, two free utilities developed by Mark Russinovich and Brice Cogswell.

TCPView is a Windows program that shows you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP, TCPView also reports the name of the process that owns the endpoint, which is an considerable improvement over the Netstat program that ships with Windows.

AUTORUNS shows you what programs are configured to run during system bootup (or login), and in which order Windows processes them. These include programs in the startup folder and listed under the Registry keys, Run and RunOnce. Autoruns is an enhanced version of MSConfig, the utility users of Windows 98/Me often use to get disk defragmentation to complete successfully.

Another free program from Sysinternals worth downloading is RootKitRevealer. "Rootkits" are techniques that malware, such viruses, spyware, and trojans, use to hide their presence from spyware blockers, antivirus, and system management utilities. RootKitRevealer attempts to detect all persistent rootkits.

A great port enumeration tool can also be downloaded from PortDetective.com. Port Detective performs a remote port scan on your IP address and gives you the details about which ports are open, in use, or blocked.

In essence, Port Detective will tell you if your PC can host a web server, an FTP server, or a mail server. If your firewall is properly configured to prevent rogue servers being installed on your computer, the answer should be "no," across the board.

If Port Detective says your PC can host those sevices, it doesn't mean your computer is infected. It simply means vulnerabilities exist that you may want to address.

The last thing any of us wants to do is be the facilitator for putting more unsolicited junk email in other people's in-boxes.

If you start sleuthing with these utilities, but find you are unfamiliar with the names of some or all of the running processes, two helpful web sites are the Process Library, which covers all recent versions of Windows, and the Elder Geek on Windows XP.