Security Basics mailing list archives
RE: ghostly mail ports
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 10 Jan 2003 08:30:32 -0800
Are you running an antivirus package that checks incoming and outgoing email messages? If so, it may be reconfiguring things in the background so that your email client connects locally to the antivirus package, which then makes the actual SMTP and POP connections to the remote server(s) you use. The first generation of such packages weren't good at hiding they were doing, or at explaining it to users -- and as a result, a lot of mid-range users were stumbling across weird-looking email configurations and "fixing" them, not realizing they were actually breaking the antivirus protection they had installed. The newer generation of products seem to have simply gotten much better at hiding themselves. But if they hid themselves perfectly, they couldn't work at all.... Dave Gillett
-----Original Message----- From: joe [mailto:joseph.beard () btopenworld com] Sent: January 7, 2003 16:45 To: security-basics () securityfocus com Subject: ghostly mail ports Hi, im new to security and this is my first post, so be gentle :) I have a fairly good understanding of the tcp/ip model and i think i understand what ports are for! but i cant understand that on my box, i have the 2 default mail ports (25 and 110) open. Its a windows 2000 box, service pack three. Im pretty sure im not running a mail server of any description. The ports appear in box scanline and superscan eg C:\>sl -bht 1-1000 192.168.0.1 ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com Scan of 1 IP started at Wed Jan 08 00:36:51 2003 -------------------------------------------------------------- -------------- - 192.168.0.1 Responded in 0 ms. 0 hops away Responds with ICMP unreachable: No TCP ports: 25 110 135 139 445 -------------------------------------------------------------- -------------- - Scan finished at Wed Jan 08 00:37:09 2003 1 IP and 1000 ports scanned in 0 hours 0 mins 18.16 secs but in netstat, activeports, fport they dont! does anybody know where they have come from? i googled for ages but dont seem to be getting anywhere. thanks joe
Current thread:
- ghostly mail ports joe (Jan 09)
- Re: ghostly mail ports Brian Bruns (Jan 10)
- Re: ghostly mail ports KEvin (Jan 10)
- RE: ghostly mail ports David Gillett (Jan 10)
- RE: ghostly mail ports Brian Bruns (Jan 10)
- Re: ghostly mail ports Florian Hobelsberger / BlueScreen (Jan 10)
- Re: ghostly mail ports adam (Jan 11)
- Re: ghostly mail ports John Jasen (Jan 11)
- Re: ghostly mail ports Don Voss (Jan 11)
- Re: ghostly mail ports GSimmonds (Jan 14)
- <Possible follow-ups>
- RE: ghostly mail ports Security Newsletters-TM (Jan 10)
- Re: ghostly mail ports joe (Jan 10)
- Re: ghostly mail ports Brian Bruns (Jan 13)