tor trying to pop mail from random IPs on win32

Joseph B Kowalski jbk at hush.ai
Tue Aug 22 04:31:54 UTC 2006



On Mon, 21 Aug 2006 19:47:32 -0700 Roger Dingledine <arma at mit.edu> 
wrote:
>On Sat, Aug 19, 2006 at 05:04:05PM -0700, Tor question wrote:
>> Is there a reason why tor would try and POP mail from random IPs 
>while
>>running in Windows?  I have a log from AVG Antivirus that shows 
>tor is
>>trying to POP mail.  The process number is tor's process id 
>number at
>>the time that it happens.  Also, I do not have any mail client 
>installed
>>on that machine that might be trying to POP mail
>
>What version of Tor? What version of Windows? Have you changed 
>your
>Tor configuration at all, e.g. are you a Tor server?
>
>If you are just a Tor client, perhaps there was a Tor server 
>running
>on 218.46.74.116:110? There's no rule that traffic on port 110 
>will
>necessarily be pop traffic. But I don't think there was a Tor 
>server at
>that address.
>
>If you were a Tor server, perhaps somebody tried to connect to 
>port 110
>via you?
>
>It's unlikely that this is a rogue or zombie Tor. More likely, it 
>is a
>hyperactive anti-virus program. But, hard to say without more 
>details.
>
>--Roger

Hi guys,


Just wanted to add that I had seen this behavior before several 
months back. At the time, I was running AVG anti-virus, which 
includes a real-time email scanning component. Basically, what it 
came down to was that there was a Tor server running it's ORPort on 
either port 25 or 110 (Can't remember which right now). So, 
whenever my Tor client would establish a connection to that server, 
I would get a message popping up indicating that Tor was trying to 
establish an SMTP or POP3 connection, whichever it was. I was 
suspicious at first, of course, but ended up looking at the IP it 
was indicating that Tor was connecting to, taking that IP over to 
the Tor network status site (http://serifos.eecs.harvard.edu/cgi-
bin/exit.pl), and looking for the IP in question. Sure enough, it 
was a Tor server, and sure enough, it was running it's ORPort on 25 
or 110, whichever it was.


There is a good chance that you are experiencing something similar, 
and if so you should be able to verify it the same way that I did.


Best regards,


Joe Kowalski




More information about the tor-talk mailing list