Security Basics mailing list archives

RE: ghostly mail ports

From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 10 Jan 2003 08:30:32 -0800

  Are you running an antivirus package that checks incoming
and outgoing email messages?  If so, it may be reconfiguring
things in the background so that your email client connects 
locally to the antivirus package, which then makes the actual
SMTP and POP connections to the remote server(s) you use.
  The first generation of such packages weren't good at hiding
they were doing, or at explaining it to users -- and as a result,
a lot of mid-range users were stumbling across weird-looking
email configurations and "fixing" them, not realizing they were
actually breaking the antivirus protection they had installed.
  The newer generation of products seem to have simply gotten
much better at hiding themselves.  But if they hid themselves 
perfectly, they couldn't work at all....

Dave Gillett

-----Original Message-----
From: joe [mailto:joseph.beard () btopenworld com]
Sent: January 7, 2003 16:45
To: security-basics () securityfocus com
Subject: ghostly mail ports

Hi, im new to security and this is my first post, so be gentle :)

I have a fairly good understanding of the tcp/ip model and i think i
understand what ports are for! but i cant understand that on 
my box, i have
the 2 default mail ports (25 and 110) open. Its a windows 
2000 box, service
pack three. Im pretty sure im not running a mail server of 
any description.

The ports appear in box scanline and superscan eg

C:\>sl -bht 1-1000 192.168.0.1
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com

Scan of 1 IP started at Wed Jan 08 00:36:51 2003

--------------------------------------------------------------
--------------
-
192.168.0.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 25 110 135 139 445

--------------------------------------------------------------
--------------
-

Scan finished at Wed Jan 08 00:37:09 2003

1 IP and 1000 ports scanned in 0 hours 0 mins 18.16 secs

but in netstat, activeports, fport they dont! does anybody 
know where they
have come from? i googled for ages but dont seem to be 
getting anywhere.

thanks

joe

Current thread:

ghostly mail ports joe (Jan 09)
- Re: ghostly mail ports Brian Bruns (Jan 10)
- Re: ghostly mail ports KEvin (Jan 10)
- RE: ghostly mail ports David Gillett (Jan 10)
  - RE: ghostly mail ports Brian Bruns (Jan 10)
- Re: ghostly mail ports Florian Hobelsberger / BlueScreen (Jan 10)
- Re: ghostly mail ports adam (Jan 11)
- Re: ghostly mail ports John Jasen (Jan 11)
- Re: ghostly mail ports Don Voss (Jan 11)
- Re: ghostly mail ports GSimmonds (Jan 14)
- <Possible follow-ups>
- RE: ghostly mail ports Security Newsletters-TM (Jan 10)
- Re: ghostly mail ports joe (Jan 10)
  - Re: ghostly mail ports Brian Bruns (Jan 13)