Port scans with Avast email scanner

:slight_smile: Hi, I recently was checking a firewall log and note that a program in Avast is on occassion logged as an external blocked port scan. This is the email scanner in Avast called Ashmaisv.exe. I traced this to Taiwan. Here is a log entry:

Description Packet sent from 118.161.52.96 (TCP Port 4111) to 192.168.1.64 (SMTP) was blocked
Rating Medium
Date / Time 2008/06/21 11:17:54-4:00 GMT
Type Firewall
Protocol TCP (flags:S)
Program ASHMAISV.EXE
Source IP 118.161.52.96:4111
Destination IP 192.168.1.64:25
Direction Incoming
Action Taken Blocked
Count 1
Source DNS 118-161-52-96.dynamic.hinet.net
Destination DNS PAVILION

Is this a port scan from AVAST or a cracker? ???

Here is some more on DNS;

WHOIS - 118.161.52.96
Email link to resultsGenerated by www.DNSstuff.com

Location: Taiwan [City: ]

ARIN says that this IP belongs to APNIC; I’m looking it up there.

Using 0 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 118.160.0.0 - 118.167.255.255
netname: HINET-NET
country: TW
descr: CHTD, Chunghwa Telecom Co.,Ltd.
descr: Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr: Taipei Taiwan 100
admin-c: HN27-AP
tech-c: HN28-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-TW-TWNIC
mnt-lower: MAINT-TW-TWNIC
mnt-routes: MAINT-TW-TWNIC
changed: **********@apnic.net 20071004
source: APNIC

person: HINET Network-Adm
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
address: Taipei Taiwan 100
country: TW
phone: +886 2 2322 3495
phone: +886 2 2322 3442
phone: +886 2 2344 3007
fax-no: +886 2 2344 2513
fax-no: +886 2 2395 5671
e-mail: ***********@hinet.net
nic-hdl: HN27-AP
remarks: same as TWNIC nic-handle HN184-TW
mnt-by: MAINT-TW-TWNIC
changed: **********@twnic.net 20000721
source: APNIC

person: HINET Network-Center
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Data-Bldg. 6F, No. 21, Sec. 21, Hsin-Yi Rd.,
address: Taipei Taiwan 100
country: TW
phone: +886 2 2322 3495
phone: +886 2 2322 3442
phone: +886 2 2344 3007
fax-no: +886 2 2344 2513
fax-no: +886 2 2395 5671
e-mail: **************@hinet.net
nic-hdl: HN28-AP
remarks: same as TWNIC nic-handle HN185-TW
mnt-by: MAINT-TW-TWNIC
changed: **********@twnic.net 20000721
source: APNIC

inetnum: 118.161.0.0 - 118.161.255.255
netname: HINET-NET
descr: Chunghwa Telecom Data Communication Business Group
descr: Taipei Taiwan
country: TW
admin-c: HN184-TW
tech-c: HN184-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: *******@ms1.hinet.net 20071004
status: ASSIGNED NON-PORTABLE
source: TWNIC

person: HINET Network-Adm
address: CHTD, Chunghwa Telecom Co., Ltd.
address: Taipei Taiwan
e-mail: ***********@hinet.net
nic-hdl: HN184-TW
changed: **********@twnic.net.tw20000721
source: TWNIC

[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address].

Email link to results

ABOUT US HELP CONTACT NEWS PRESS AFFILIATE ADVERTISE JOBS SITE MAP TRADEMARKS PRIVACY POLICY TERMS OF USE
© Copyright 2000-2008 DNSstuff, LLC All Rights Reserved

It looks to me like you’re using a program that’s using port 25 which is reserved for pop3 mail.
This would cause the avast! email scanner to wake up.

I think bob3160 is right but it looks just a bit more strange than that. This is an external address delivering to an address range reserved for internal LAN’s.

It appears that this is coming in through a NAT router that is not well configured or that this potentially represents a response deliberately solicited by the user.

Some P2P programs are setup to listen on the well-known SMTP port 25 because most systems do not use that port to receive data only for sending emails. Since this connection is aimed at the port 25 of the poster’s system there is a chance that the system is running a P2P program that is listening on port 25 and this represents another system trying to make the connection.

As bob3160 has reported the avast Internet Mail scanner is set up to respond to outbound connections to port 25 (assuming this SMTP mail traffic). The avast Internet Mail scanner does not listen at the system’s external port 25 to receive inbound traffic from external sources.

The only programs on at the time are IE and OE. Outlook Express is the only possible and I was on the news reader at the time. I guess I will continue to Block this log entry and unless Avast begins to complain about it, I will just forget it. It looks suspicious coming from the outside and these regions. Thought I would inquire here, thanks.

Just to be on the safe side you should set the sensitivity level of the Internet Mail provider to high. This will use no noticeable extra resources on your system but just in case there is something else doing with with port 25 that should not be (like a spambot infection) then avast should detect it an alert you.