Internet mail shield prevent(alerts too) Bot-Net activity?

Hello.
I do not use any P2P applications or download email, I just read my email off Gmail site.
nor do I use any form of instant messaging.
Normally I run only the Web shield,the network shield and the Standard shield.
It seems that I read somewhere on the forum in the past that it is a good idea to run the
Internet mail shield even if you do not download email,as a way of preventing (or alerting?)
you of a bot-net thing where your computer is used to send huge amounts of spam.
Is this correct?

thanks
n

With the Internet Mail set to High also increases the Heuristic checks within the email scanner and would detect multiple identical emails in a period of time. That could be your indication that an undetected spambot is sending spam. These trojans come with their own very small SMTP program so it doesn’t use your email client (if you had one), but since it would be using port 25 for smtp it should be intercepted by the Internet Mail provider.

So even though it is enabled it won’t be using much in the way of resources as it would effectively be idle, unless there was some email activity.

OK,sounds good to me.
But no reason to start the P2P,instant message,or outlook shields if I don’t use any of that stuff,right?
and standard shield set to “high?”

I do not use P2P, Outlook, or Instant Message Shields at all. My Standard is set at the
default Normal. According to Help in Start Menu - Avast :

Standard Shield checks the programs you start and the files you access. It will not allow an infected program to be started - so, the virus code cannot be activated.

Normal. Default setting.
High. In addition to the default setting, created and modified files will be scanned as well.

However :

Standard Shield. It checks the applications being run and documents being opened. It will not allow an infected application to start or an infected document to be opened, thus possibly protecting you from activating or spreading a virus.

So to me High does not add much self protection.

I would say you can Terminate those three that you don’t use, you could go a step further and remove them, so they don’t show up at all. Windows add remove programs, avast! Antivirus, Change/Remove button, select Change, next and uncheck the three you aren’t using, click next and OK your way out.

I have Internet Mail and the Web Shield set to High, there is no appreciable impact from this, leave the Standard Shield on Normal (the default) it provides a good balance between performance and protection.

With the trend today of using SSL for email, use of unencrypted port 25 for smtp is rapidly becoming a thing of the past. My ISP, for example, already had SSL email and just switched to the Gmail service, and other large ISPs are also forcing their customers to use SSL to cut down on zombies. Unless the trojan email program has its own SSL certificate, or can hijack your email client in a way that avast! or a firewall/HIPS can’t detect, things look pretty safe for normal setups. Since you are using gmail, avast! can’t scan it anyway because it is encrypted, unless you go the stunnel route. And gmail already virus scans (and spam scans) all incoming and outgoing email. So the threat is a trojan that sends its own email on port 25, and you should set up your firewall not to allow TCP out on port 25. And use a HIPS to make sure they are not using some other port.

My ISP (Comcast) is one of behemoths of cable here in the US. It still provides (maybe allows) for me to send my emails on port 25 without a secure connection from my wired desktop. So:

use of unencrypted port 25 for smtp is rapidly becoming a thing of the past

may be true or may not … I would agree there is a clear trend - even if it was introduced to help the email services cut down on spamming use of their service and hence reducing their costs rather than any altruistic concern for their customers. Can you tell me why I would want to make the effort to change (unless forced)?

Please understand … I support a group of users (pro bono) and I am just posing here the kind of questions, comments I get from my users and I suspect that they are not totally distinct from the mainstram of the user community.

Many drawn to this forum are technophiles - we have some that live, eat and breath anti-malware. I think they are great contributors to the forum but the vast majority of avast users just want, I believe, a “set it and forget it” solution where they do not need to know what TCP means or worry about port 25 or any what a port means, let alone what HIPS means at all.

sded

Sorry for choosing your post as the one for posing these concerns that I do not expect you answer alone. Despite the efforts of system developers systems are becoming less and less understandable to the average owner of a PC - even younger ones. Most people want to enjoy their PCs - not spend their every waking moment in fear of whether they should be using SSL or whether their next website visit will drain their bank account and living a life in security forums.

My ISP doesn’t support smtp on port 25 without a waiver and authentication process, as do many of the ones who have gone to requiring SSL email. For the reasons you mentioned. The switches I hear about are indeed forced. Don’t know whether the OP is still using one that does. Maybe should ask him about it, since otherwise doesn’t help him. But agree, unless he uses a firewall that blocks outgoing connections there is not much else he can do. The other trend that supports this is the increasing penetration of gmail into ISP supplied email services, with the same port restrictions as standard gmail. Don’t know about comcast, but have heard that verizon and several other major DSL ISPs have also gone to requiring encryption even if you use port 25. So I don’t think the answer is nearly as simple as it used to be a few years ago. Security is certainly making the world more complicated, isn’t it? :slight_smile:
BTW, I find watching for the globe to spin constantly when nothing is happening is also quite useful. Doesn’t standard shield also see the botnet?

Much appreciate your assessment - and I agree with it.

Well we even have reports here of GMail users with port 25 and SSL (which I cannot replicate), so your point is well taken (even if it does cause problems in the default use of avast).

Let me just add that it is reported that avast will provide the management of secure email connections (ie the function that now requires STunnel) natively in avast release 5. I hope they find a way to do it that is easier for users than that used in AVG.

I still think that many users want their own scans on top of those in the email providers. Indeed one major email provider is still the only email service that will (with a little rule bending on my part) allow me to get viruses delivered to me via email to check out avast’s email scans.

Fortunately, gmail is quite good as both a virus scanner and a spam scanner, but many of the others are of unknown quality. I will still go back to Avast! and stunnel as a backup, though, as soon as Online Armor can figure out an annoying but minor bug that happens when both are running email scanners. The only viruses we see these days are on my wifes old compuserve account that she refuses to give up, but that over the years has become almost all spam with occasional viruses-and she uses avast! for that also. And I never did figure out how to get avg to do ssl mail, although I have no problem setting up avast! and stunnel.

I want to thank each of you for sharing your knowledge.
The support on this forum is really second to none.

I use Kerio 2.1.5 with the default rule set.
I do not know how to block port 25.
My ports all come up stealth-ed on the online firewall tests…
With my firewall off!
I guess it is my ISP at work.
Stealth is not the same as block is it?

Sorry for grabbing the end of your thread and throwing in a little confusion. :slight_smile: It struck me that we didn’t know whether you were on one of the ISPs that has gone to SSL and no longer uses the standard SMTP setup for mail anyway, and noted that even so you could go ahead and block the standard port with your firewall because you use web mail. But as alanrf pointed out, this requires a bit of technogeeking about and modifying your firewall rules.
Turning on the avast! email provider has the advantage of requiring nothing but the default avast!, can’t hurt and might help no matter what your configuration. If a bot net is sending out virus infected mail or large mail volumes over the standard SMTP port, avast! should catch it automatically. Even lesser activities will show up as unusual avast! spinning icon activity and scan counts showing up in the internet email provider. So users get most of the benefits of port blocking with very little effort. Stealth just means that you don’t answer unauthorized requests from outside your system, so it sounds like you are in good shape.

Thanks sded, no real confusion.
Seems that I am OK.
I am with the former Sprint,now Embarq.
When I lived 20 miles away,and was a Verizon user,
the stealth thing was the same.
I wonder if they do it for the users protection,
or just to prevent some sort of theft of service.

But as the old saying goes:
“It is an ill wind,
that blows no good.”

normishmael

Could be your router is set up to be stealthy (many are) or that your Kerio 2.1.5 rules reject incoming without comment. I don’t remember what the Kerio 2.1.5 default rules are, but the Blitzen Zeus (Google them) rules I used were pretty stealthy as I recall. Some ISPs also provide a stealthy firewall for you if desired, but don’t know about Embarq. Glad everything is all set. Regards; Ed.