Strange pop3 connections from Avast!

[louie]

Dear all,

avast! Mail Scanner has been showing an icon on my taskbar lately, with a tooltip showing a chinese IP address..


netstat -aon outputs the following:

Code: [Select]

Proto  Local Address           Foreign Address         State                  PID
TCP    192.168.1.30:2097   61.184.100.8:110      ESTABLISHED     2276
so i checked PID 2276 in task manager to see what's creating the connection to this strange POP3 server..
turns out it's ashMaiSv.exe!


what's going on here?
i checked Avast! logs, but nothing shows
i'm about to install a packet sniffer to see what the hell this is doing.

any help would really be appreciated

[Lisandro]

avast! Mail Scanner has been showing an icon on my taskbar lately, with a tooltip showing a chinese IP address..

It's the Internet Mail provider icon. No trouble. You've set to see this icon into avast settings.

so i checked PID 2276 in task manager to see what's creating the connection to this strange POP3 server..
turns out it's ashMaiSv.exe!

ashMaiSv.exe is the Internet Mail provider...

Did you run a full avast scanning?

It will be good if you download, install, update and run other trojan remover tools:
a-squared
Free AVG Antispyware
SUPERantispyware
Spyware Terminator

[DavidR]

The ashMaiSv.exe doesn't establish any connection, something is either downloading email (strange) or sending email (possible spambot mass mailer, especially if you weren't using your email program ?). The avast email scanner just intercepts email traffic to scan it.

Do you have a firewall, if so what ?
Is there anything in the logs that might show the initiating program as the ashMaiSv.exe is the scanning element for the localhost proxy. It may be that something is connecting to the internet using an email port but not pop3 protocol, which is triggering ashMaiSv.exe to try and scan it.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.

Do you use a P2P application if so what ?

[louie]

i'm primarily a Linux guy, all my mail is sent through Evolution on Linux.
i mainly use windows for entertainment (Games, movies, etc), and although outlook is set up on this PC, i don't have mail accounts created (i sync my phone on it.. that's all)

i'm not using any software firewall (apart from Windows firewall if that counts) my network is behind a hardware router, so there's no risk of incoming external connections.. it's the outgoing stuff i need to control now.

i tried connecting to the IP on port 110.. didn't get a proper POP3 header back

as for P2P Applications, i only have BitTorrent

i just downloaded AVG Anti-Spyware, installed, updated it, and it's doing a full system scan.. so far only cookies found
will keep you posted

thanks guys

[louie]

well i feel stupid
DavidR's question about p2p got me thinking
i checked BitTorrent, and noticed one of the trackers it's using is 'tracker.ydy.com:110'

[lm@srv1:~]$ host tracker.ydy.com
tracker.ydy.com has address 61.184.100.8

problem solved

what i don't understand, is why does the connection appear under avast's PID rather than Bittorrent?
does Avast trap all outgoing mail connections and transparently proxy them?

[DavidR]

No need to feel stupid, stupid would have been not to have checked, welcome to the forums.

Anything using the email ports 25, 110, 119 and 143 will be redirected to its proxy and then on to its destination. The problem of using email ports for non-standard use will cause issues as the avast Internet Mail provider is expecting that traffic to be using email protocols.

I don't use P2P applications so I apologise for the terminology but some people use the email ports for communication. So if you can (and assume have) change the tracker/communication port to a non email port.

The reason why the connection appears under the mail providers PID I would say the netsat process isn't smart or detailed enough to identify the originator of the request. My firewall is smart enough to show the originating program using the localhost proxy as are many others.

[Lisandro]

does Avast trap all outgoing mail connections and transparently proxy them?

Shortly, yes.
Check here how to exclude an application (like BitTorrent from 'mail' scanner, not from all avast protection):
http://forum.avast.com/index.php?topic=1647.msg10267#msg10267
IgnoreProcess=BitTorrent.exe