I've seen AVG logging POP3 requests to weird servers, never have found trojan/etc.
Lastest attempt was to:
ip141-58-173-82.dyndsl.ver
I shut down my net connection, which broke the attempt, and haven't seen it again.
There was no email in the cache folders for AVG, just a logged note. I've since cranked up to maximum logging for the time being. This is using Outlook Express as mail client. I have all latest SP, patches, etc.
I had seen wacky stuff like this early on (10-12mos back) when I first built out this machine. Never have been able to find any spyware, virus, trojan, anything... Using a few different tools (MS Antispyware, AVG, a-squared, to name my starters...). About to try some more. Didn't know if it was something wacky with AVG itself, but it freaks me out when I see the AVG popup contacting a strange POP3 server, usually raw IP address or dynamic dns...
Anyone seen stuff like this? It's not trying to open an SMTP address (sending mail), it seems to be opening a 'random-seeming' POP3 box (which, of course, once the connection is opened, a trojan could use that 'transport' for potentially other things...). Concerned given this is my primary EVERYTHING box, and tons of sensitive information on it, used through it (https sites), etc.
Setting high points, hoping someone can either point me to figuring out where the POP3 conns are coming from, how to stop them (if malicious) or at least better track them (if non-malicious, maybe some silly util is trying to use pop3 for updates??), or resources/discussions regarding this exact topic (pop3 connections being made on windows box to pop3 mailboxes NOT specified in my account...).
Thanks folks,
-d
ip141-58-173-82.dyndsl.ver
I shut down my net connection, which broke the attempt, and haven't seen it again.
There was no email in the cache folders for AVG, just a logged note. I've since cranked up to maximum logging for the time being. This is using Outlook Express as mail client. I have all latest SP, patches, etc.
I had seen wacky stuff like this early on (10-12mos back) when I first built out this machine. Never have been able to find any spyware, virus, trojan, anything... Using a few different tools (MS Antispyware, AVG, a-squared, to name my starters...). About to try some more. Didn't know if it was something wacky with AVG itself, but it freaks me out when I see the AVG popup contacting a strange POP3 server, usually raw IP address or dynamic dns...
Anyone seen stuff like this? It's not trying to open an SMTP address (sending mail), it seems to be opening a 'random-seeming' POP3 box (which, of course, once the connection is opened, a trojan could use that 'transport' for potentially other things...). Concerned given this is my primary EVERYTHING box, and tons of sensitive information on it, used through it (https sites), etc.
Setting high points, hoping someone can either point me to figuring out where the POP3 conns are coming from, how to stop them (if malicious) or at least better track them (if non-malicious, maybe some silly util is trying to use pop3 for updates??), or resources/discussions regarding this exact topic (pop3 connections being made on windows box to pop3 mailboxes NOT specified in my account...).
Thanks folks,
-d
Do you use POP3 yourself? If you do, nslookup your POP3 server and check if the IP matches.
ASKER
Hmmm. Maybe I wasn't clear enough in the last parenthesized part... I am (have) seeing POP3 requests going out to domains that aren't in my setup (which should be comcast.net and my own private domain). The one I showed was clearly some dynamic address dsl link in the netherlands (I'm in the US).
Anyone else care to take a shot? ;)
-d
Anyone else care to take a shot? ;)
-d
No, I understood you. Yet sometimes if you lookup a DNS name and then reverse lookup the IP you get, you won't get the same DNS name. For instance I have a domain name and I can easily get it to point to my IP address, but if you then reverse lookup it it will still point to a DNS name associated with my ISP.
I'd get a firewall to lock it in. Why risk issue of having ISP take to not like you?
If not HW, try SW like ZoneAlarm. Lock all outgoing unless you approve. Approve your two.
No one 'has to' use the ports to be as defined according to standard port assignments. For example, SMTP uses port 25, but no, it does not have to, you can use 24 or 26 if you want. Since malwares are rogues, you cannot 'assume' that they will abide by any agreed upon rules such as for port assignments. ZoneAlarm also maintains a log of the rquests, so you can compare notes and perhaps better identify the origin, destination, and whatever it is on your PC (spyware? spam forwarding? mail list generation?) that is trying to either spread or go home. Before killing it (format?) isolate it (block port).
If not HW, try SW like ZoneAlarm. Lock all outgoing unless you approve. Approve your two.
No one 'has to' use the ports to be as defined according to standard port assignments. For example, SMTP uses port 25, but no, it does not have to, you can use 24 or 26 if you want. Since malwares are rogues, you cannot 'assume' that they will abide by any agreed upon rules such as for port assignments. ZoneAlarm also maintains a log of the rquests, so you can compare notes and perhaps better identify the origin, destination, and whatever it is on your PC (spyware? spam forwarding? mail list generation?) that is trying to either spread or go home. Before killing it (format?) isolate it (block port).
ASKER
Yeah, I understand how port numbers. I should have added I'm a capable programmer. ;)
In this case, my current firewalls aren't helping, as it's opening up a port, intercepted by AVG, and AVG acts as the proxy for the mail -- again, it's a POP connection being made, not SMTP. I do have Windows Firewall in place, and have firewall ports on my router as well, but blocking outgoing connections on a STANDARD port, yeah, I'd need something deeper/trickier. Again, unfortunately, because it seems to be connecting on a standard port, AND because AVG proxies already, it's hard to catch. Heck, Antispyware potentially should have alerted me if it's actually some extra application trying to run and open a connection... potentially... ;)
Of course, if the thing is somehow queueing up an email within OE, then only blocking the initial email would make a difference, or blocking after AVG.... Yeah, I really need an outgoing proxy that sits AFTER AVG, and disallows connections on port 110...
-d
In this case, my current firewalls aren't helping, as it's opening up a port, intercepted by AVG, and AVG acts as the proxy for the mail -- again, it's a POP connection being made, not SMTP. I do have Windows Firewall in place, and have firewall ports on my router as well, but blocking outgoing connections on a STANDARD port, yeah, I'd need something deeper/trickier. Again, unfortunately, because it seems to be connecting on a standard port, AND because AVG proxies already, it's hard to catch. Heck, Antispyware potentially should have alerted me if it's actually some extra application trying to run and open a connection... potentially... ;)
Of course, if the thing is somehow queueing up an email within OE, then only blocking the initial email would make a difference, or blocking after AVG.... Yeah, I really need an outgoing proxy that sits AFTER AVG, and disallows connections on port 110...
-d
ASKER
Okay, I've seen enough references that I'll answer this myself and ask this to be PAQ'd.
Some of the P2P apps use commonly-known port numbers to call out to servers, to either avoid firewalls or traffic shaping or other blocks. My best guess is that's what I've been seeing, as it was too coincidental in my testing/reviewing of various bittorrent offshoots.
That's not to say folks shouldn't be aware and alarmed when their email logging shows an outgoing POP3 connection to a weird server -- but should see if it coincides with running of P2P apps of any sort (in concert, if needed, with antivirus/trojan/spyware scans...).
-d
Some of the P2P apps use commonly-known port numbers to call out to servers, to either avoid firewalls or traffic shaping or other blocks. My best guess is that's what I've been seeing, as it was too coincidental in my testing/reviewing of various bittorrent offshoots.
That's not to say folks shouldn't be aware and alarmed when their email logging shows an outgoing POP3 connection to a weird server -- but should see if it coincides with running of P2P apps of any sort (in concert, if needed, with antivirus/trojan/spyware scans...).
-d
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
too bad none of the rest of us know anything