Weird email problem...

/usr · April 2005

This morning I jumped online, only to find that my AVG E-Mail Scanner box keeps popping up, with the following text...

AutoPOP3: Connecting to 88-83-136-85.user.auna.net

My email isn't even open.
Any ideas?

Webmaster · April 2005

If the address 88-83-136-85.user.auna.net is not configured in any of your mail clients, something else is trying to connect to a mailserver. Since it isn't you trying to connect, it's likely a piece of malware 'trying' to mail itself to others using OE.

In addition to the ones commonly mentioned here, try the Ewido Security suite, I've had some good (better) results with that one. Hijack This may show you the perpetrator too.

TURTLEGIRL · April 2005

It maybe that its automatically scanning incoming/outgoing messages. I personally would use Adaware and make sure your anti virus is up to date. Spybot search and destroy is good to use too. Also if you have an influx of spam...you'll know where its coming from.

Webmaster · April 2005

EDIT: keep reading the following replies to avoid confusion

GBAGIRL2 wrote:

It maybe that its automatically scanning incoming/outgoing messages.

POP3 is for sending email, hence outgoing only. But as /usr mentioned, his email is not open, so it's likey something that is not supposed to send email in the first place and AVG is triggered by it.

/usr · April 2005

POP3 is for receiving mail.

http://whatis.techtarget.com/definition/0,289893,sid9_gci212805,00.html

I'll try a couple Spyware scans...

I did a full scan with AVG, but it turned up nothing.

Webmaster · April 2005

omg!

Good morning Johan... having deployed dozens of email servers and thousands of clients... "POP3 is for sending". It will take some time before I get over this one...

In that case you might have a Trojan trying to download additional malicious data thru POP3. If you are certain you don't have any clients running that try to 'receive' email, you can be rather sure it is something that 'shouldn't', and likely it's trying to use Outlook Express (I assume you don't even have that one installed though...).

Webmaster · April 2005

Here's the link for Ewido's Security Suite btw:
www.ewido.net/en/download/
I found that it is frequently able to 'really' remove malware where ad-aware and spybot S&D fail (though I run those first).

/usr · April 2005

Good morning Johan... having deployed dozens of email servers and thousands of clients... "POP3 is for sending". It will take some time before I get over this one...

It happens to the best of us.

Getting ready to install MS Anti Spyware and Ad-Aware...I'll post results.

/usr · April 2005

Ad-Aware just found some cookies, as usual.

MS Anti-Spyware has found nothing so far.

Another scan with AVG showed nothing.

I'm going to try that Ewido suite next...

The only other solution I can think of is to download Zone Alarm and see if I can just block it.

Webmaster · April 2005

If Ewido doesn't work, try Hijack to see if anything out of the ordinary is found.

Btw: the target address is 88-83-136-85.user.auna.net, hence IP 85.136.83.88 (reverse order), which is from SPAIN ANDALUCIA SEVILLA CABLEMODEM-AUNA-ZONA-SUR

Non-Profit Techie · April 2005

Webmaster wrote:

omg!
Good morning Johan... having deployed dozens of email servers and thousands of clients... "POP3 is for sending". It will take some time before I get over this one...
.

i was reading this and was like crap. i better go take A+ again. i was thinking i learned nothing. good thing i kept reading, lol.

Ricka182 · April 2005

I just ran that Ewido suite.....scanned over 70000 files, and found 17 infected, some of which I thought Ad-Aware had already removed, but apparently left behind. Good program.

/usr · April 2005

Ewido found two things, just some cookies.

I keep my my machine very clean...I'll try HijackThis...

/usr · April 2005

Checked AVG's log...this kind of concerns me. It's the same thing, over and over and over.

24.4.2005 10:00:19 [4f8] AutoPOP3(10110): Connection from 127.0.0.1:2945
24.4.2005 10:00:19 [e00] AutoPOP3(10110): Client connected
24.4.2005 10:01:05 [e00] AutoPOP3(10110): Cannot connect to 88-83-136-85.user.auna.net:10111
24.4.2005 10:01:05 [e00] AutoPOP3(10110): Connect: The operation completed successfully. (0)

RussS · April 2005

ROFLMAO @ Johan

Ahhh, is ok my friend, I sometimes fire off a reply without thinking and find out that I am about face with my thoughts.

/usr - I would try running the Trend online scan.

/usr · April 2005

Got a link?

RussS · April 2005

Sorry dood

http://housecall.trendmicro.com/

Use the red button - then select the Complete Scan - AV and Security

drewm320 · April 2005

You may also want to take a peek at your hosts file (C:\WINDOWS\system32\drivers\etc\hosts) and make sure someone hasn't mapped the name 88-83-136-85.user.auna.net to 127.0.0.1.

RussS · April 2005

drewm320 - nothing wrong with that (if it is spywware).
Mapping rubbish to 127.0.0.1 is the best way to avoid popups etc.

Weird email problem...

Comments