Author Topic: Strange port 143 activity  (Read 2756 times)

0 Members and 1 Guest are viewing this topic.

DonZ63

  • Guest
Strange port 143 activity
« on: October 20, 2011, 10:00:06 PM »
Win 7 x64 SP1, Avast 6.0.1289

Now that I have my Win 7 firewall outbound rules set up, I am getting this strange outbound  firewall alert from port 143 at boot time. Is this OK to allow? I don't use any e-mail except ISP based e-mail.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/20/2011 3:31:57 PM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Don-PC
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
   Process ID:      4
   Application Name:   System

Network Information:
   Direction:      Outbound
   Source Address:      fe80::2401:1c51:9da4:dbc4
   Source Port:      143
   Destination Address:   ff02::16
   Destination Port:      0
   Protocol:      58

Filter Information:
   Filter Run-Time ID:   129197
   Layer Name:      Connect
   Layer Run-Time ID:   50
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>5157</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12810</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2011-10-20T19:31:57.106526900Z" />
    <EventRecordID>28175</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="60" />
    <Channel>Security</Channel>
    <Computer>Don-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="ProcessID">4</Data>
    <Data Name="Application">System</Data>
    <Data Name="Direction">%%14593</Data>
    <Data Name="SourceAddress">fe80::2401:1c51:9da4:dbc4</Data>
    <Data Name="SourcePort">143</Data>
    <Data Name="DestAddress">ff02::16</Data>
    <Data Name="DestPort">0</Data>
    <Data Name="Protocol">58</Data>
    <Data Name="FilterRTID">129197</Data>
    <Data Name="LayerName">%%14611</Data>
    <Data Name="LayerRTID">50</Data>
    <Data Name="RemoteUserID">S-1-0-0</Data>
    <Data Name="RemoteMachineID">S-1-0-0</Data>
  </EventData>
</Event>




Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Strange port 143 activity
« Reply #1 on: October 21, 2011, 12:16:04 AM »
I would start by reading this as it shows what that port is normally used for, Internet Message Access Protocol (IMAP) and from that you should be able to confirm if you have email being checked, etc.

http://www.grc.com/port_143.htm also http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

DonZ63

  • Guest
Re: Strange port 143 activity
« Reply #2 on: October 21, 2011, 12:49:34 AM »
Thanks, David.

I did research this. It is indeed ICMPv6 Multicast Listener Report Message v2. In itself is a valid ICMPv6 outbound transaction but it should be blocked since it could invalid the default rules the WIN 7 firewall have for Teredo tunneling security. Hence the lack of this rule in the default WIN 7 firewall outbound core default rules.

Another example of the danger of running the WIN 7 firewall in the default allow all outbound traffic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Strange port 143 activity
« Reply #3 on: October 21, 2011, 01:12:27 AM »
The real danger of running the win7 firewall with outbound protection enabled is what you are going through right now; it is a pig; it isn't user friendly; it is rules based and you have to create the rules; that is always going to be prone to error.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security