Lastest attempt was to:
ip141-58-173-82.dyndsl.ver
I shut down my net connection, which broke the attempt, and haven't seen it again.
There was no email in the cache folders for AVG, just a logged note. I've since cranked up to maximum logging for the time being. This is using Outlook Express as mail client. I have all latest SP, patches, etc.
I had seen wacky stuff like this early on (10-12mos back) when I first built out this machine. Never have been able to find any spyware, virus, trojan, anything... Using a few different tools (MS Antispyware, AVG, a-squared, to name my starters...). About to try some more. Didn't know if it was something wacky with AVG itself, but it freaks me out when I see the AVG popup contacting a strange POP3 server, usually raw IP address or dynamic dns...
Anyone seen stuff like this? It's not trying to open an SMTP address (sending mail), it seems to be opening a 'random-seeming' POP3 box (which, of course, once the connection is opened, a trojan could use that 'transport' for potentially other things...). Concerned given this is my primary EVERYTHING box, and tons of sensitive information on it, used through it (https sites), etc.
Setting high points, hoping someone can either point me to figuring out where the POP3 conns are coming from, how to stop them (if malicious) or at least better track them (if non-malicious, maybe some silly util is trying to use pop3 for updates??), or resources/discussions regarding this exact topic (pop3 connections being made on windows box to pop3 mailboxes NOT specified in my account...).
Thanks folks,
-d
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Hmmm. Maybe I wasn't clear enough in the last parenthesized part... I am (have) seeing POP3 requests going out to domains that aren't in my setup (which should be comcast.net and my own private domain). The one I showed was clearly some dynamic address dsl link in the netherlands (I'm in the US).
Anyone else care to take a shot? ;)
-d
No, I understood you. Yet sometimes if you lookup a DNS name and then reverse lookup the IP you get, you won't get the same DNS name. For instance I have a domain name and I can easily get it to point to my IP address, but if you then reverse lookup it it will still point to a DNS name associated with my ISP.
I'd get a firewall to lock it in. Why risk issue of having ISP take to not like you?
If not HW, try SW like ZoneAlarm. Lock all outgoing unless you approve. Approve your two.
No one 'has to' use the ports to be as defined according to standard port assignments. For example, SMTP uses port 25, but no, it does not have to, you can use 24 or 26 if you want. Since malwares are rogues, you cannot 'assume' that they will abide by any agreed upon rules such as for port assignments. ZoneAlarm also maintains a log of the rquests, so you can compare notes and perhaps better identify the origin, destination, and whatever it is on your PC (spyware? spam forwarding? mail list generation?) that is trying to either spread or go home. Before killing it (format?) isolate it (block port).
Yeah, I understand how port numbers. I should have added I'm a capable programmer. ;)
In this case, my current firewalls aren't helping, as it's opening up a port, intercepted by AVG, and AVG acts as the proxy for the mail -- again, it's a POP connection being made, not SMTP. I do have Windows Firewall in place, and have firewall ports on my router as well, but blocking outgoing connections on a STANDARD port, yeah, I'd need something deeper/trickier. Again, unfortunately, because it seems to be connecting on a standard port, AND because AVG proxies already, it's hard to catch. Heck, Antispyware potentially should have alerted me if it's actually some extra application trying to run and open a connection... potentially... ;)
Of course, if the thing is somehow queueing up an email within OE, then only blocking the initial email would make a difference, or blocking after AVG.... Yeah, I really need an outgoing proxy that sits AFTER AVG, and disallows connections on port 110...
-d
Okay, I've seen enough references that I'll answer this myself and ask this to be PAQ'd.
Some of the P2P apps use commonly-known port numbers to call out to servers, to either avoid firewalls or traffic shaping or other blocks. My best guess is that's what I've been seeing, as it was too coincidental in my testing/reviewing of various bittorrent offshoots.
That's not to say folks shouldn't be aware and alarmed when their email logging shows an outgoing POP3 connection to a weird server -- but should see if it coincides with running of P2P apps of any sort (in concert, if needed, with antivirus/trojan/spyware scans...).
-d
Business Accounts
Answer for Membership
by: ChatablePosted on 2006-02-10 at 09:19:11ID: 15924483
Do you use POP3 yourself? If you do, nslookup your POP3 server and check if the IP matches.