«

On Sun, 5 Jul 2009 19:44:30 +0100, "tg"
<> wrote:

>is it possible to be hacked through one's mail server?

Sure.
If there's a connection, there is a security risc involved

>I use a network monitor on my pc called Net Medic and for the third time in
>the last month I've noticed suspicious network activity on my PC. Each time
>I saw this I've run wireshark for a few seconds and then disabled my NIC,
>and wireshark shows the traffic is coming from tim.netweaver.net which is
>netweaver's latest mail server.

Since you are using OE, there is no reason at all for any
communication between your ISP's mailserver and your PC other
than that, initiated by OE on your PC.
(But you may have scheduled automatic mail pickup !)

The more relevant question reads: Why do you suspect their
mailserver to be the culprit ?
Is it because the traffic uses ports like 25 or 110 ?
Or because an IP lookup shows netweaver's mailserver ?
Are you sure, all their other servers run on IP addresses
different from the mailserver's ?

>I have hosting accounts with netweaver and I've complained to them about
>this but they insist it's just normal email traffic and that they have not
>been compromised. Problem is I'm not running any email program when I get
>this traffic and the nature of this network traffic is completely different
>to when I check my email. I've been watching my email traffic for about 5
>years now and this is different.

Read what is inside the packets, that's what Wireshark is for

--
Kind regards,
Gerard Bok

"tg" <> writes:

> "Gerard Bok" <> wrote in message
> news:...
>> On Sun, 5 Jul 2009 19:44:30 +0100, "tg"
>> <> wrote:
>
>> The more relevant question reads: Why do you suspect their
>> mailserver to be the culprit ?
>> Is it because the traffic uses ports like 25 or 110 ?
>> Or because an IP lookup shows netweaver's mailserver ?
>
> both. The traffic uses port 110, and the ip lookup points at netweavers
> mail server.
>>
>> Read what is inside the packets, that's what Wireshark is for
>
> the packets just contain gobbledegook, like this:
>
> (¸ T"^3 E 4ÚÌ@ ?*!¬
Nú6Ð no¸;£.s)À?ÿÿe


> .s)Ò.s)Ó

By "uses port 110" is that the destination port of the initial
connection? i.e. are you saying that you know for sure your computer
is initiating a session from itself (usually on a high port number) to
the pop3 port of the mail server?

If so, what are your mail client's settings for the mail servers with
respect to transport layer security?

Finally, for the win, what process is associated with this network
connection? Find out with Microsoft's free tcpview utility (they
purchased sysinternals years ago, and this is good stuff):
http://technet.microsoft.com/en-us/s.../bb897437.aspx

It's possible that you have a trojan that might use your configured
mail server to do its phoning home. It wouldn't be my communication
method of choice but who knows, maybe some botnet creator decided that
it might go unnoticed and you're onto something big. It's also
possible your (undisclosed?) mail client or OS is doing this as part
of normal operation.

--
Todd H.
http://www.toddh.net/