avast email scanner...???

[raemi00]

Installed avast few days ago and so far I'm satisfied with its' performance. However, I've noticed an avast icon appears in tray bar time to time.

"avast email scanner [POP...]..."

I don't use any e-mail client at all (outlook express, thunderbird...) but only use web-based email services (yahoo and hotmail). So why is my av scanning for email when I'm not sending nor recieving anything at all? Are some malicious 3rd party programs trying to contact my pc?

I've already browsed the forum but couldn't find any related topic that answer my question fully so any help will be much appreciated. Thank you.

My spec:
pc winxp sp2
avast 4.7 uptodate
win defender
spybot s&d
adaware se personal

[Lisandro]

I don't use any e-mail client at all (outlook express, thunderbird...) but only use web-based email services (yahoo and hotmail). So why is my av scanning for email when I'm not sending nor recieving anything at all? Are some malicious 3rd party programs trying to contact my pc?

Indeed, there is such option...
Maybe you can use TCPView from www.sysinternals.com to see

Suggestions?

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4) Use a-squared, ewido or Spyware Terminator (trojan removers).

[raemi00]

Thank you for your fast reply.
I forgot to mention that I use p2p program (uTorrent). Does that trigger such scanning?

[alanrf]

avast has utorrent in its list of programs to be excluded from such scanning.

If set the sensistivity of the mail scanner to high for a while it should alert you if some process in your system is sending out a lot of email spam.

If it does then in the mail scanner if you click on Customize > Advanced tab > Click on "Timeout for internet communication(s) > OK

You should get a popup telling you the name of the process sending the spam email. 

[raemi00]

So far;
My sys retore has been disabled from the start.
None of my av programs picked up anything unusual.
D/led & thoroughly scanned with a-squared; nothing
Set the sensitivity to high.

Don't believe I have any malignant worm/virus/spyware in my pc.
My next one is two-pronged question;
1. Why can't I just terminate the avast email-scanner pop-up?
   - only way to stop is disconnect from the online
2.Do you think it's dangerous?
   - is someone attacking my pc and avast is blocking the attempt?
   - not even sure whether it' scanning for outgoing or incoming mail
   - where is this email avast is scanning?

Thanks for your input.

ps. Btw, I had AVS as my primary av program before and AVS had the same POP3 scanning warning popped up occasionally. AVS forum blamed p2p programs and there was no solution to fix this.

[Lisandro]

1. Why can't I just terminate the avast email-scanner pop-up

Which is your avast version? 4.7.871?

2.Do you think it's dangerous?

Well... it's not good to disable... something is wrong and must be corrected...

where is this email avast is scanning?

Did you try to use TCPView from www.sysinternals.com ?

ps. Btw, I had AVS as my primary av program before and AVS had the same POP3 scanning warning popped up occasionally. AVS forum blamed p2p programs and there was no solution to fix this.

Did you correctly uninstall AVS?
Which P2P program do you have?

[alanrf]

I can tell you how to stop seeing "the problem".

Before I do that I want you to think about this logically. 

I have told you that the icon you are you are seeing is not caused by utorrent.  The avast team have gone to the trouble to ensure that utorrent.exe is excluded from scanning by avast. 

Are you using any other p2p program other than utorrent? 

If you do have malware on your system do you want to find it or do you want to bury your head and pretend it is not there?  The symptoms you describe are not someone sending email to your PC from outside (they cannot, you have to deliberately go ask for email), they suggest that you have an email spambot already inside your system sending out spam email without your approval.

The default of the Internet Mail scanner is to scan inbound and outbound mail.  Nobody, but nobody, runs malware that receives email to your PC.  There are many different examples of malware that turn your PC into a zombie churning out spam email (where do you think all that spam email comes from?   PCs like yours).

So to return to your options - and it is entirely up to you. 

If you only use email via the web browser (Yahoo & Hotmail etc.) and do not use any email client then you can turn off the Internet mail scanner.  You will never be bothered by any warnings from it again - including the bluelight icon in the systray.  If you are infected, if you become infected you will never know until your ISP comes to tell you are breaking their terms of service.

My recommendation (for whatever it is worth) is to keep the Internet Mail provider running with sensitivity set to high.  If you are not using sending/receiving email it will be doing nothing (and using next to no resources).  If you are infected it will alert you to multiple emails being sent.  If you are using other p2p services that are triggering it we can show you how to avoid that. 

There is another step I can suggest to get avast to absolutely confirm whether your system is sending spam emails or not.     

If you need any more help please let us know.     

[raemi00]

Which is your avast version? 4.7.871?  Yes

TCPView shows nothing unusual

Correctly uninstalled AVS as far as I know; no conflict issue occured

Only uTorrent and no other p2p program

Of cource I'd like to fix the problem not stop seeing "the problem". That's why I'm here.
So, IF I have an email spambot and spewing out junk email, how do I find it and kill it?

One last thing; I use tor/vidalia anon system to surf the web.

Thanks for your replies and help. I want to get to the bottom of this.

[alanrf]

TCPView shows nothing unusual

Hmmm ... what is usual? It should at least look a little different with avast installed.

My friend Tech may not have mentioned that you should be looking for any processes that are linked to port 12025 (the ashMaiSv.exe listening port).

avast can log in more detail any connections made through the Internet Mail scanner to send or receive email.

You can get the mailscanner to log your connections by editing the avast4.ini file (in  Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log

The log will show any connections being made on the email ports scanned by avast and the name of the process that is making the connection.

There is no harm in leaving the logging option set on in the avast4.ini.  The log is cleared at each system restart so it will not build into a huge file and will have the information if the connection problem should happen again.

[raemi00]

Today I just saw another warning first time since I started this post few days ago.

program name          avast! e-Mail Scanner Service
file name                   ashMaiSv.exe
remote port               143
remote ip address     124.120.234.103

Somebody from Australia was trying to contact me. Hmmmm...
My guess is that some thing is triggering  ashMaiSv.exe to send out a message but what?
How can I find out exactly what's going on?

TIA.

[alanrf]

Where did you see this message? It does not look exactly like an avast message.

It has nothing to do with someone trying to contact you.  It does indicate that something in your system was trying to establish contact from your system to a server using port 143, which is the port typically used for IMAP mail connections. 

If you have the logging set up that I recommended - what does the log show?

[raemi00]

"Cannot connect to IMAP server 124.120.234.103 "

Only relevantt message seemed to be that line from the log.

Other info came from ZoneAlarm blocking the attempt.
Maybe I didn't put log=20 line correctly

[MailScanner]
PopRedirectPort=110
SmtpRedirectPort=25
ImapRedirectPort=143
NntpRedirectPort=119
IgnoreAddress=
IgnoreLocalhost=1
AutoRedirect=1
log=20  <----------------------- correct?
[Splash]

[alanrf]

That log, if you would allow us to see it should show the name of the process that is being intercepted by avast (ashMaiSv.exe) and then avast attempts to make the connection instead so that it can scan the traffic.

 

[alanrf]

I find it odd that a spambot would only attempt to use your system so sporadically. 

Again, is utorrent the only P2P client you are using?  I ask since 143 seems to be a frequently (mis)used port by P2P enthusiasts.

[raemi00]

Yup. uTorrent is the only p2p proggie that I use.
I wonder about the infrequency too. Very strange.
Again, log=20 location is correct, right?