Mysterious Spyware Infection
September 14, 2005 5:34 AM   Subscribe

Have you tried using hijakthis.

http://www.spywareinfo.com/~merijn/downloads.html

It sometimes picks up some stuff the others don't find.
posted by meta87 at 5:38 AM on September 14, 2005

Do you have any P2P applications installed? I have noticed that some people set their bittorrent port to 110 or 80. This is probably to avoid a firewall on their side.

AVG would pick that up as sending email to that port.
posted by sebas at 5:49 AM on September 14, 2005

The first thing I'd do is see if that host is actually running a POP server, but interestingly, dyn-83-157-113-1999.ppp.tiscali.fr doesn't seem to actually be a host.

$ dig dyn-83-157-113-1999.ppp.tiscali.fr

; <>> DiG 9.2.2 <>> dyn-83-157-113-1999.ppp.tiscali.fr
;; global options:  printcmd
;; Got answer:
;; ->>HEADER< - opcode: query, status: nxdomain, id: 24551br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

I'm with sebas on the P2P thing -- AVG just sees traffic to port 110 and assumes it's POP, but probably doesn't actually spy on the traffic to know it's POP.
posted by delfuego at 5:55 AM on September 14, 2005

That is surely a typo.

$ host dyn-83-157-113-199.ppp.tiscali.fr
dyn-83-157-113-199.ppp.tiscali.fr has address 83.157.113.199

$ telnet dyn-83-157-113-199.ppp.tiscali.fr pop3
Trying 83.157.113.199...

[times out]
posted by grouse at 6:06 AM on September 14, 2005

That is surely a typo

Not necessarily. It looks like the IP is associated with a dial-up ISP, so it's possible that that IP was not in use when digging.

srboisvert: Next time you see this (or similar), note what programs you have running (to determine if sebas and delfuego are correct w/r/t P2P apps).
posted by MikeKD at 9:26 AM on September 14, 2005

Also, keep in mind that pop3 is a protocol for receiving mail. If you're connected to a remote pop3 server, mail will move from them to you, not vice versa.
posted by mendel at 9:43 AM on September 14, 2005

Do a netstat -b at the command prompt and it'll show you what applications have established network connections. If AVG is showing you sending mail then look to see if there's anything on port 25 (under the Local Address column you'll see :Port#). Otherwise have a look through there and see if there's anything that you know doesn't belong.
posted by Dipsomaniac at 9:48 AM on September 14, 2005

Also, keep in mind that pop3 is a protocol for receiving mail. If you're connected to a remote pop3 server, mail will move from them to you, not vice versa.

I'd think that this was the key, here: You send via SMTP, you receive via POP.

Incidentally, Tiscali (a European ISP) is abhorrent at tracking down and squashing spammers. I can only imagine that you're receiving spam from a throw-away dialup account in France.
posted by thanotopsis at 10:03 AM on September 14, 2005

That is surely a typo

Not necessarily.

To the contrary, almost certainly.

It looks like the IP is associated with a dial-up ISP, so it's possible that that IP was not in use when digging.

No, it's not, since 1999 is not a valid value for an IPv4 octet. Hence my guess that it is 199.
posted by grouse at 10:27 AM on September 14, 2005

Also, keep in mind that pop3 is a protocol for receiving mail.

That's not technically true -- you can send mail through POP3 using the XTND XMIT extension supported by many servers. But it doesn't seem likely that that's what's happening here.
posted by kindall at 10:29 AM on September 14, 2005

« Older Why won't MP3's I downloaded n...   |   WinXP question: tracert only w... Newer »

This thread is closed to new comments.