Bit torrent program tried to send out e-mail.

[Dungwader]

When I went to sleep last night I left my computer on d/l the latest Full Metal Alchemist episode. When I woke up this morning Zone Alarm was warning me that btdownloadgui.exe was trying to send out an e-mail. I denined it's access but I'm now more than a little worried. Any ideas on what's going on?

Tim

[stos289]

Well, that depends on what kind of Bittorrent client you are using. If you are using a lesser known one, it could be that it is trying to send adware/spyware onto your computer. What I suggest is that you uninstall the current one you have and either download the Official Bittorrent Client or another popular one like Bit Tornado. Hope I could help.

[Dungwader]

I use the official.

[complich8]

are you sure someone wasn't just woefully misconfigured?

I am pretty sure the official won't send out email. The author has ethics and wouldn't be a jackass like that.

You might have gotten something unofficial tacked onto the official release (or falsely named the official). There are distributions emerging that bundle stuff with the official release and sneak it onto your system. Don't trust it unless you downloaded it from the official page that stos mentioned, or unless it's a well-known modification to it.

I'd also recommend a system check with spybot-sd and ad-aware, and probably a full system virus scan, just to be somewhat more confident in your system's integrity. Be sure to update definitions for all 3 of those things before you start scanning.

There's only one scenario I can think of that might lead zonealarm to believe that a legitimate correctly-configured bittorrent is sending an email, and that's that a client it's trying to send to is configured to listen on port 25 (the smtp port). I don't think zonealarm is smart enough to figure out how to determine that, since it'd have to see and analyze successful communication instead of just watching attempts at initiating communication (by which time it's already too late -- the communication has already happened). If a client on the network sets the listening ports to include 25, your client could be attempting to send on that port, which would look enough like an initiating smtp connection to make it think that it's mailing, even if it's just sending packets. So it might be no cause for alarm, but it's still something to tell you something somewhere is probably not right.

[Dungwader]

1. I downloaded the program from the offical site.
2. I use spybot and Ad-Aware religiously thrown in with a dash of HyJackThis.
3. I've used my virus scan and used online scanning tools.
4. If it is trying to use port 25 why would this happen 5-6 months after I've been using the bit-torrent product?
5. How would I determine if port 25 is the culprit and how would I reconfigure the network or client?

Thanks for taking the time to respond to my confusion.

[stos289]

Well, Bittorrent shouldn't really use port 25. The ports that Bittorrent uses is ports 6881-6999. The only use for port 25 is for an SMTP (Simple Mail Transfer Protocol) server. What this server does is that it sends mail between different servers on the internet using an e-mail client. I have two therioes on your problem. My first one is that Bittorrent is using the SMTP server to exchange information between different servers on the internet (which is not always a bad thing because it could be sending information on your download). My second is that a third-party company is using this access to send adware or spyware to your computer through Bittorrent. The Bittorrent client does not need port 25 to be forwarded. So if port 25 is forwarded, then you really might want to close it unless you have another application that is using it. If you would like to know how to close port 25 or any other ports, just tell me what kind of router you have and I can show you how to close it. Hope I could help.

[complich8]

stos: you're half-right. Bittorrent doesn't use port 25 by default. It uses 6881-6889 (you got the range a little wide there too).

BUT (and this is the catch) you can specify whatever port range you want to use. The tracker handles telling people where to send what data, so if you changed your port range (originally 6881-6889) to something odd (like 21-35) then it would start at port 21 and listen on ascending numbered non-bound ports until it was listening on all of them. Typically in my experience it does this one port per torrent being downloaded, so if you were torrenting 5 files it'd be listening on ports 21, 22, 23, 24, and 25. Or if you set the range to be 25-28 it'd listen on 25, 26, 27, 28 and then when you tried to open a fifth torrent it'd complain about failing to bind to a socket and would probably just not download anything.

I'm thinking some jackwad did that, either because they didn't know any better or because they wanted to get around a firewall or something like that.

One way you can try to verify this is by telnetting to the address on port 25. You'd do this by going to start->run->cmd -- in the command window you'd type "telnet <host.address.here> <portnumber>" (so if it is smtp -- port 25 -- on 1.2.3.4 you'd type "telnet 1.2.3.4 25". If it lets you connect, type HELO and hit enter (you probably won't see anything when you're typing, just trust you're typing something). If you get something back other than an error message then you're actually talking to an smtp server, and something was actually trying to send mail (or it's just a strange coincidence). Here's a log of what happened in my case connecting to a legitimate smtp server:

telnet smtp.purdue.edu
220 usstp07.itcs.purdue.edu ESMTP Fri, 11 Jun 2004 06:13:46 -0500
HELO
501 5.0.0 HELO requires domain address
HELO archlich.dyndns.org
250 usstp07.itcs.purdue.edu Hello 12-223-216-205.client.insightbb.com [12.223.216.205], pleased to meet you
QUIT
221 2.0.0 usstp07.itcs.purdue.edu closing connection

Connection to host lost.

If you get something other than a disconnect from sending HELO, or get headers like I got when I first connected, then I'd be suspicious. If you get nothing, or you get connection refused or connection timed out or something like that, then it's probably just some

Do ya still have the firewall log? If so, see if it's got an ip address, try that out, and let us know what turns up. I'd be really interested to see if it's actually a mailserver running there....

[Dungwader]

Okay here we go. It was Port 25. It turns out that the IP it was trying to contact comes from out of Denmark.

Details about 80.62.25.210, the IP address of the computer that caused the alert you received from ZoneAlarm Pro, are provided in the Whois report below. The information in the Whois report comes from the Regional Internet Registry (RIR) for the region where 80.62.25.210 is located: ARIN, RIPE, LACNIC or APNIC. The name of the RIR appears in the Whois report.

The Whois report includes the name, address and contact information for the Internet Service Provider (ISP) that administers the block of IP addresses that contains 80.62.25.210. The report probably does not list the administrator of the specific computer at IP address 80.62.25.210.

You should not assume that individuals listed in this report are responsible for the alert you received on your computer.


% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html

inetnum: 80.62.25.0 - 80.62.25.255
netname: TELEDANMARK-ADSL-USERS
descr: IP addresses for ADSL users in
descr: Tele Danmark\'s IP backbone.
descr: Location: Albertslund
descr: Box: albnxx3
country: DK
admin-c: AS5071-RIPE
tech-c: AS5071-RIPE
rev-srv: ns.tele.dk
rev-srv: tix.ns.tele.dk
status: ASSIGNED PA
remarks: If you have any complaints regarding a user from this
remarks: ip range, please contact abuse@post.tele.dk regarding
remarks: this issue.
notify: access@ip.tele.dk
mnt-by: AS3292-MNT
mnt-lower: AS3292-MNT
changed: heves@tdk.dk 20010713
source: RIPE

route: 80.62.0.0/15
descr: TDC Tele Danmark
origin: AS3292
remarks: +---------------------------------------+
remarks: | For abuse and security issues contact |
remarks: | csirt@csirt.dk, http://www.csirt.dk |
remarks: +---------------------------------------+
notify: notify@ip.tele.dk
mnt-by: AS3292-MNT
changed: auto-ripe@ip.tele.dk 20010701
changed: auto-ripe@ip.tele.dk 20010813
changed: auto-ripe@ip.tele.dk 20020711
changed: auto-ripe@ip.tele.dk 20020730
source: RIPE

role: AS3292 Staff
address: TDC Net
address: Sletvej 30, A039
address: DK-8310 Tranbjerg
address: Denmark
phone: +45 50 12 29 47
e-mail: staff@ip.tele.dk
trouble: staff@ip.tele.dk
admin-c: MILY1-RIPE
admin-c: NINA1-RIPE
tech-c: NCB1-RIPE
tech-c: MILY1-RIPE
tech-c: HV72-RIPE
nic-hdl: AS5071-RIPE
mnt-by: AS3292-MNT
changed: staff@ip.tele.dk 19990223
changed: staff@ip.tele.dk 20030326
changed: staff@ip.tele.dk 20040601
source: RIPE

[complich8]

yeah, probably just some dumb user who set their config to something odd. I don't see a mailserver running at that ip address at the moment, at least.

I would chalk this one up to "someone sucks at the internet, and it isn't you" and don't worry about it too much. If you see it again, then it might be cause for concern.