Update: the patch for the spam issue is now rolling out to customers, and everyone should have the update shortly.
McAfee is promising to patch a vulnerability in its SaaS Total Protection anti-malware service, pitched as a "peace of mind" solution offering "complete email and web protection", after it was found that a flaw within the software was being exploited by spammers to relay their unsolicited messages from users' machines.
The problem was exposed by British art firm Kaamar Limited in a blog post earlier this week, which complained that their e-mails were being blocked by e-mail providers and their IP addresses appeared on blacklists for sending spam.
Apparently McAfee's "Rumor" Service, which is a peer-to-peer file sharing technology part of the anti-malware suite used to distribute security updates within an internal network, allows inbound Internet connections and serves as an Open Proxy on Port 6515, which spammers used to bounce e-mails as if they were coming from that machine. The Rumor service appears to install itself even when not required, and though you can disable it using Windows' administrative tools, it is restarted by McAfee's automatic updates.
Besides having their business e-mails blacklisted by a number of e-mail providers and spam blocking services, Kaamar Limited says the issue caused its site to get the equivalent of 10 months of normal traffic in just one day, and had to pull their product listings from Google Shopping to avoid getting their account suspended.
McAfee said it expects to issue a patch later today after it's finished with testing and clarified that the flaw didn't put customer data at any risk of exposure. The patch will also address another vulnerability that could allow an attacker to misuse an ActiveX control to execute code on a user's computer.