Rogue IP address

applebyd · 13-10-2006, 18:32

Hi all.

First if I've got this in the wrong Forum would a moderator please move it.

I've got an odd problem.

I'm using Eudora and AVG with a NTL Settop 1mb connection (Ethernet).

About every 5 min the AVG E-MAil scanner is showing an attempted mail down load from address 172.16.30.35

The IP address resolves to:-

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
NetName: IANA-BBLK-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-12[

Which has no reverse DNS Lookup available.

I have no idea what, where or why it's there.

I've run various A/V Scans (Online and Offline), my firewall (Zone alarm) is upto date and Ad-Aware says I'm clean.

Anyone got any ideas?

Thanks

DaveA

Graham M · 13-10-2006, 18:42

AFAIK 172.*.*.* are typically used on Largish private networks such as college/university campuses IE places with large capacity LANs, are you based at a Uni etc?

applebyd · 13-10-2006, 19:38

Thanks for the response.

Sorry but I'm just on a standard home set-top box 1Mb connection.

I did think I'd bee hit by a SPAMBOT but there's nothing showing anywhere on the system but I can't find out what's calling the routine.

Thanks again.

DaveA

Graham M · 13-10-2006, 19:53

AVG Pops up when ANYTHING on your system sends/receives mail

---------- Post added at 19:53 ---------- Previous post was at 19:52 ----------

Just a thought, what happens if you ping the IP in question?

applebyd · 13-10-2006, 20:16

Humm.....

It's odd that something is trying to pull down mail as Eudora is the only thing
that is supposed to try.

I'm not sure how to try and find out what's calling the process.

Any ideas?

THANKS

DaveA

Graham M · 13-10-2006, 21:35

You could try

netstat -ab > c:\netstat.txt

then when its completed go into c:\ and open netstat.txt to see what program is using what ports at the time.

Gareth · 14-10-2006, 09:11

Zeph is correct - the IP range 172.16.0.0 -> 172.31.255.555 is reserved as Class B private blocks, i.e. they're for use internally within an organisation and are not publically addressable.

The reason it's showing as IANA when you did a reverse lookup is because nobody can "own" that address range, as it's used internally by thousands of organisations globally. In case you were wondering, IANA is responsible for administering IP ranges to so-called Regional Internet Registries, such as ARIN, RIPE, etc..., who in turn dish those IP addresses out to ISPs who then finally assign them to their customers.

Where did you obtain Eudora from? When I was at university many moons ago, they used to give out copies for people to use (to be run from a floppy disk, that's how long ago it was

)... did you obtain your copy in a similar fashion, as it sounds as though it could be mis-configured still.

ps - welcome to Cable Forum