avast email scanner...???

system · 2006-08-26T21:39:43.000Z

Thank you for your fast reply.
I forgot to mention that I use p2p program (uTorrent). Does that trigger such scanning?

alanrf · 2006-08-26T21:54:49.000Z

avast has utorrent in its list of programs to be excluded from such scanning.

If set the sensistivity of the mail scanner to high for a while it should alert you if some process in your system is sending out a lot of email spam.

If it does then in the mail scanner if you click on Customize > Advanced tab > Click on "Timeout for internet communication(s) > OK

You should get a popup telling you the name of the process sending the spam email.

system · 2006-08-27T00:43:59.000Z

So far;
My sys retore has been disabled from the start.
None of my av programs picked up anything unusual.
D/led & thoroughly scanned with a-squared; nothing
Set the sensitivity to high.

Don’t believe I have any malignant worm/virus/spyware in my pc.
My next one is two-pronged question;

Why can’t I just terminate the avast email-scanner pop-up?
- only way to stop is disconnect from the online
  2.Do you think it’s dangerous?
- is someone attacking my pc and avast is blocking the attempt?
- not even sure whether it’ scanning for outgoing or incoming mail
- where is this email avast is scanning?

Thanks for your input.

ps. Btw, I had AVS as my primary av program before and AVS had the same POP3 scanning warning popped up occasionally. AVS forum blamed p2p programs and there was no solution to fix this.

Lisandro · 2006-08-27T02:40:40.000Z

raemi00 post:5:

Why can’t I just terminate the avast email-scanner pop-up

Which is your avast version? 4.7.871?

raemi00 post:5:

2.Do you think it’s dangerous?

Well… it’s not good to disable… something is wrong and must be corrected…

raemi00 post:5:

where is this email avast is scanning?

Did you try to use TCPView from www.sysinternals.com ?

raemi00 post:5:

ps. Btw, I had AVS as my primary av program before and AVS had the same POP3 scanning warning popped up occasionally. AVS forum blamed p2p programs and there was no solution to fix this.

Did you correctly uninstall AVS?
Which P2P program do you have?

alanrf · 2006-08-27T02:52:42.000Z

I can tell you how to stop seeing “the problem”.

Before I do that I want you to think about this logically.

I have told you that the icon you are you are seeing is not caused by utorrent. The avast team have gone to the trouble to ensure that utorrent.exe is excluded from scanning by avast.

Are you using any other p2p program other than utorrent?

If you do have malware on your system do you want to find it or do you want to bury your head and pretend it is not there? The symptoms you describe are not someone sending email to your PC from outside (they cannot, you have to deliberately go ask for email), they suggest that you have an email spambot already inside your system sending out spam email without your approval.

The default of the Internet Mail scanner is to scan inbound and outbound mail. Nobody, but nobody, runs malware that receives email to your PC. There are many different examples of malware that turn your PC into a zombie churning out spam email (where do you think all that spam email comes from? PCs like yours).

So to return to your options - and it is entirely up to you.

If you only use email via the web browser (Yahoo & Hotmail etc.) and do not use any email client then you can turn off the Internet mail scanner. You will never be bothered by any warnings from it again - including the bluelight icon in the systray. If you are infected, if you become infected you will never know until your ISP comes to tell you are breaking their terms of service.

My recommendation (for whatever it is worth) is to keep the Internet Mail provider running with sensitivity set to high. If you are not using sending/receiving email it will be doing nothing (and using next to no resources). If you are infected it will alert you to multiple emails being sent. If you are using other p2p services that are triggering it we can show you how to avoid that.

There is another step I can suggest to get avast to absolutely confirm whether your system is sending spam emails or not.

If you need any more help please let us know.

system · 2006-08-27T03:18:33.000Z

Which is your avast version? 4.7.871? Yes

TCPView shows nothing unusual

Correctly uninstalled AVS as far as I know; no conflict issue occured

Only uTorrent and no other p2p program

Of cource I’d like to fix the problem not stop seeing “the problem”. That’s why I’m here.
So, IF I have an email spambot and spewing out junk email, how do I find it and kill it?

One last thing; I use tor/vidalia anon system to surf the web.

Thanks for your replies and help. I want to get to the bottom of this.

alanrf · 2006-08-27T03:59:49.000Z

TCPView shows nothing unusual

Hmmm … what is usual? It should at least look a little different with avast installed.

My friend Tech may not have mentioned that you should be looking for any processes that are linked to port 12025 (the ashMaiSv.exe listening port).

avast can log in more detail any connections made through the Internet Mail scanner to send or receive email.

You can get the mailscanner to log your connections by editing the avast4.ini file (in Program Files\Alwil Software\Avast4\DATA folder).

In the section headed:

[MailScanner]

add the line:

Log=20

and save the updated file.

The log will be in Program Files\Alwil Software\Avast4\DATA\log\ashmaisv.log

The log will show any connections being made on the email ports scanned by avast and the name of the process that is making the connection.

There is no harm in leaving the logging option set on in the avast4.ini. The log is cleared at each system restart so it will not build into a huge file and will have the information if the connection problem should happen again.

system · 2006-08-31T03:52:12.000Z

Today I just saw another warning first time since I started this post few days ago.

program name avast! e-Mail Scanner Service
file name ashMaiSv.exe
remote port 143
remote ip address 124.120.234.103

Somebody from Australia was trying to contact me. Hmmmm…
My guess is that some thing is triggering ashMaiSv.exe to send out a message but what?
How can I find out exactly what’s going on?

TIA.

alanrf · 2006-08-31T04:32:37.000Z

Where did you see this message? It does not look exactly like an avast message.

It has nothing to do with someone trying to contact you. It does indicate that something in your system was trying to establish contact from your system to a server using port 143, which is the port typically used for IMAP mail connections.

If you have the logging set up that I recommended - what does the log show?

system · 2006-08-31T05:08:37.000Z

"Cannot connect to IMAP server 124.120.234.103 "

Only relevantt message seemed to be that line from the log.

Other info came from ZoneAlarm blocking the attempt.
Maybe I didn’t put log=20 line correctly

[MailScanner]
PopRedirectPort=110
SmtpRedirectPort=25
ImapRedirectPort=143
NntpRedirectPort=119
IgnoreAddress=
IgnoreLocalhost=1
AutoRedirect=1
log=20 <----------------------- correct?
[Splash]

alanrf · 2006-08-31T05:11:39.000Z

That log, if you would allow us to see it should show the name of the process that is being intercepted by avast (ashMaiSv.exe) and then avast attempts to make the connection instead so that it can scan the traffic.

alanrf · 2006-08-31T05:14:46.000Z

I find it odd that a spambot would only attempt to use your system so sporadically.

Again, is utorrent the only P2P client you are using? I ask since 143 seems to be a frequently (mis)used port by P2P enthusiasts.

system · 2006-08-31T05:47:03.000Z

Yup. uTorrent is the only p2p proggie that I use.
I wonder about the infrequency too. Very strange.
Again, log=20 location is correct, right?

alanrf · 2006-08-31T06:25:44.000Z

Yes the location is correct.

Is there a concern that prevents you allowing us to see the log?

system · 2006-08-31T07:35:00.000Z

08/30/06 19:26:38 00000F94: Started as service, Log = 1
08/30/06 19:26:38 00000F94: Build 4.7.871
08/30/06 19:26:38 00000F94: Windows XP Workstation (Service Pack 2)
08/30/06 19:26:38 00000F94: Using WinSock 2.0
08/30/06 23:25:23 00000CB4: Cannot connect to IMAP server 124.120.234.103
(124.120.234.103:143), connect error 10061

This is the log; like I said, not whole lot to go on.

alanrf · 2006-08-31T07:47:04.000Z

Ah, as it says at the top of the log … Log=1

I asked you to enter Log=20 not log=20

Sorry I did not notice it earlier.

system · 2006-08-31T08:40:36.000Z

Log=20, it is then.
I’ll change and see if this will help solve the problem.
Thanks for your assistance.

system · 2006-09-01T15:34:35.000Z

Well, i’ve got another one and this time Log=20 is set correctly.

08/31/06 13:12:40 00000EC4: Started as service, Log = 20
08/31/06 13:12:40 00000EC4: Build 4.7.871
08/31/06 13:12:40 00000EC4: Windows XP Workstation (Service Pack 2)
08/31/06 13:12:40 00000EC4: Using WinSock 2.0
09/01/06 11:14:57 00000ABC: PATH: \Device\HarddiskVolume2\Program Files\Tor\tor.exe
09/01/06 11:15:14 00000ABC: Cannot connect to POP server 210.197.251.212 (210.197.251.212:110), connect error 10061
09/01/06 11:15:14 00000ABC: sent 94 (440)
09/01/06 11:15:14 00000ABC: --POP Finishing connection handler

So, what do you think?

alanrf · 2006-09-01T18:32:32.000Z

As you have probably guessed - you have found it.

You did mention earlier that you user Tor/Vidalia as a web anonymizer. I guess I should not have made assumptions about how Tor works.

Tor operates a bit like P2P clients, the folks who run Tor servers decide what port they will listen on and (as often happens with P2P) they choose a well-known email port since they know the server will not be running as an email server and the port will work for them. They then tell Tor users to connect to their server on that well-known port. This is, of course, all under the covers to you and so once in a while you connect to a Tor server on a port that is monitored by the avast Internet Mail Scanner and it shows up in the systray. It most likely also disrupts the Tor connection that is being attempted.

The solution is to edit the avast4.ini file and in the section headed:

[MailScanner]

add a line:

IgnoreProcess=tor.exe

avast will then ignore use of the ports it intercepts when made by Tor.

I will also drop a note to the avast team suggesting that they add Tor to their list of automatic exclusions so that the next Tor user along doesn’t have to work out the issue again.

system · 2006-09-01T18:57:17.000Z

Yup. I was pretty sure I didn’t have any malware imbedded in my pc. But like I also said, you can never be sure.
Thanks for answering my question. I really appreciated it. Also glad I helped avast little bit about tor. Thanx again!

Announcements