Suspicious IMAP connection from transmission-qt win

Ask for help and report issues with the Windows version of Transmission
Post Reply
alkalinerain
Posts: 3
Joined: Wed Aug 22, 2012 5:50 pm

Suspicious IMAP connection from transmission-qt win

Post by alkalinerain »

Hello, I'm a new user to transmission after I recently downloaded transmission-qt for windows from the link provided on this site and am just beginning to use it. Today while it was running in the background downloading a file, avast! Antivirus gave me this message:
Image
I immediately got very suspicious, closed transmission and decided to do a lookup on the ip (86.50.122.84) and came up with the following info:
  • Country: Finland
    City: Turku
    Hostname: dyn84-84.yok.fi
    ISP: Student Village Foundation
    Approximate Coords: 60.2052, 24.6522 (60°12'19"N 24°39'8"E)
    Address: University of Turku
There was alot more info when I looked it up on a few websites, but I posted the main things here. Anyone who wants more info can perform a lookup themselves. Anyway, getting back on topic: What does this mean? Am I using a modified/malicious version of transmission? Is this behavior intentional? Is transmission tracking my computer activity? Is it just sending anonymous usage statistics? If this was anonymous usage statistics wouldn't It ask first? In the mean time I am refraining myself from using transmission nor will I be getting the other windows ports of transmission until I know what's going on. If I am posting this in the wrong section of the fourm or if this has been answered before (I did a quick search and found nothing related, though I might have missed something) please redirect me to where I should be. If I should be posting on the sourceforge page of transmission-qt win and not here then please say so. Any help will be greatly appreciated!
blacke4dawn
Posts: 552
Joined: Sun Dec 13, 2009 10:44 pm

Re: Suspicious IMAP connection from transmission-qt win

Post by blacke4dawn »

Transmission-qt for Windows is an UNofficial port and thus you it's very unlikely that you will get any answers from the official devs. I would say you would probably get a better/faster answer by submitting this to the person handling said port.
alkalinerain
Posts: 3
Joined: Wed Aug 22, 2012 5:50 pm

Re: Suspicious IMAP connection from transmission-qt win

Post by alkalinerain »

blacke4dawn wrote:Transmission-qt for Windows is an UNofficial port and thus you it's very unlikely that you will get any answers from the official devs. I would say you would probably get a better/faster answer by submitting this to the person handling said port.
Thanks, will try it's sourceforge.
rb07
Posts: 1400
Joined: Sun Aug 24, 2008 3:14 am

Re: Suspicious IMAP connection from transmission-qt win

Post by rb07 »

I'm the one that builds and publishes that port.

I haven't received any message at the SourceForge forums... so :
  • Transmission-Qt shouldn't be connecting by itself through the IMAP port, which is normally used to read, not to send anything;
  • It may be connecting through any port if some tracker listed its announce port as that;
  • It may be connection through any port if some peer configured that as his peer port (many people try to bypass their ISP blocks by using port 443 (https), 80 (http), and probably others);
  • In any case make sure you are using a non-modified program. My releases have digital signatures (in the installer, the Qt executable, and the dbus-deamon executable); you can see the signature with Windows explorer -> Properties -> Digital Signatures, my name is in that signature, rb is only my initials.
And just to make it clear: my distributed binaries don't have any spyware / virus / or anything else malicious.
alkalinerain
Posts: 3
Joined: Wed Aug 22, 2012 5:50 pm

Re: Suspicious IMAP connection from transmission-qt win

Post by alkalinerain »

rb07 wrote:I'm the one that builds and publishes that port.

I haven't received any message at the SourceForge forums... so :
  • Transmission-Qt shouldn't be connecting by itself through the IMAP port, which is normally used to read, not to send anything;
  • It may be connecting through any port if some tracker listed its announce port as that;
  • It may be connection through any port if some peer configured that as his peer port (many people try to bypass their ISP blocks by using port 443 (https), 80 (http), and probably others);
  • In any case make sure you are using a non-modified program. My releases have digital signatures (in the installer, the Qt executable, and the dbus-deamon executable); you can see the signature with Windows explorer -> Properties -> Digital Signatures, my name is in that signature, rb is only my initials.
And just to make it clear: my distributed binaries don't have any spyware / virus / or anything else malicious.
I wasnt able to post on the sourceforge because after my last post here I went on a trip and just got back. From what I understood there shouldn't be anything to worry about and even though transmission is connecting through port 993 (IMAPS) or 585 (Secure IMAP) they cant be used for anything other than the regular bittorrent protocol. Anyway thanks for the useful insight, will continue using transmission.
rb07
Posts: 1400
Joined: Sun Aug 24, 2008 3:14 am

Re: Suspicious IMAP connection from transmission-qt win

Post by rb07 »

alkalinerain:
From a security point of view, if transmission-qt was malware the connection to IMAP servers could be malicious. It could be trying to break into an IMAP account, at the other end, and in this instance your computer would be used as a bot managed by someone else which is the one trying to break into mail accounts and read mail messages, or exploit vulnerabilities on IMAP servers.

My previous description is also correct, any user could be setting the IMAP/IMAPS port as the peer port (to be precise, almost any user, under Unix/Linux only root can use ports below 1024, in Windows... I don't know).

The only way to be certain is to find out if it is a peer or tracker. The list of peers, for each torrent, don't include the port so the IP address would be the thing to look for. If the connection is to a tracker, then the IP has to be converted to a fully qualified name; if it is DHT... I don't know (I mean when DHT is bootstraping its database, otherwise it connects with regular peers already connected to torrents). If the connection is still up and the peer or whatever is not found, then it could be a real case of malware.

In the specific case reported, since it looks like a dynamic IP address its very unlikely that it hosts an IMAP server, so I wouldn't waste time, its probably just a guy who decided to use that port.
Post Reply