|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
7 Aug 2003, 02:46 PM | #1 |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
Port scan attack by FastMail.fm
My McAfee firewall intercepted a port scan attack while I was logged into my FastMail account via the web interface. McAfee's Visual Trace tool traced the port scan attack location as fastmail.fm. Now I can't access the site obviously because McAfee has blocked all traffic from FastMail sites for the next hour. Any idea how or why this happened? I was using the Notepad in my FastMail account.
|
7 Aug 2003, 04:46 PM | #2 |
The "e" in e-mail
Join Date: Apr 2003
Location: USA
Posts: 2,978
|
Hmm, do you have a Guest acct by any chance? JH promises never to hack paid members, but if you're a Guest, well, all bets are off (he calls it his personal upgrade incentive).
It's already explained in one of the taglines -- "FastMail: Pay us, or we'll hack you." (Sorry, I know that wasn't of any help whatsoever...) |
7 Aug 2003, 05:01 PM | #3 |
The "e" in e-mail
Join Date: Sep 2002
Location: FM does NOT refer to Fastmail (anymore).
Posts: 4,034
|
Now to be practical, does McAfee has anything it can mistake for a "port scan attack?" My guess is that to give you access to your email, the connection has to come through a certain port. But so does every other Internet connection. Can you look up some McAfee help files and see if they provide any information on limitations of their software or false positives of any kind?
If no solution surfaces, I assume that McAfee has a log of the port scan. You may wish to forward that to both McAfee and Fastmail to see what went on and if the error was on FM's part or McAfee's. |
7 Aug 2003, 05:06 PM | #4 | |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
Quote:
I'm sure this was as a result of some bug from either FastMail or McAfee software. I doubt that FastMail will really do such things. Are you sure that there is such a tag-line or are you just joking? Such a tag-line would definitely put me off. I remember how someone I know purchased a firewall software from the bonzi company famous for its adware and spyware because its software was generating a pop up claiming that his PC was unprotected whenever he went online. I would personally never purchase anything from people who resort to that type of thing. Pay us, or we'll hack you is the same thing. |
|
7 Aug 2003, 05:37 PM | #5 |
Essential Contributor
Join Date: Jun 2002
Location: AU
Posts: 471
|
From what I can see the guys at fastmail are honest and have great integrity.
I can't imagine they would be doing a port-scan or would attempt to hack you!!! bitequator, I think you were joking but that is almost slanderous.... |
7 Aug 2003, 06:12 PM | #6 |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
McAfee does have a log file alright. The IP address related to this port scan attack was 66.111.4.62.
I'm using the Firewall that comes with McAfee VirusScan Professional 7. I saved the log file and opened it with Word even though it was a text file for better search capabilities and was was amazed to see that it had more than 3650 pages. Most of them are logs of blocking incoming or outgoing traffic. Port scan attacks are rare. I will search through that log file and get back with more info. |
7 Aug 2003, 06:48 PM | #7 |
Cornerstone of the Community
Join Date: Nov 2002
Location: Amsterdam
Posts: 753
|
bitequator was most certainly joking.
We have no reason to portscan anyone so I wouldn't think we did. It's more likely that your firewall misinterpreted some traffic to be a portscan of some sort. If you can find out what it thought was going on it would be good so we can have a look and see whether we can do anything on our side to make it less confused. |
7 Aug 2003, 06:51 PM | #8 | |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
The log file of 3650 pages was only for four days because I cleared the logs four days ago. I can just imagine how big it would have been if I hadn't done that.
Here is an extract from the log file related to the fastmail.fm port scan attack. I can't post everything here but most of the logs are similar: Quote:
|
|
7 Aug 2003, 07:03 PM | #9 | |
Intergalactic Postmaster
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102
Representative of:
Fastmail.FM |
It's a McAfee problem is my analysis.
Quick summary of how ports/sockets work. Basically, you connect to a machine (identified by ip number eg 66.111.4.62) and you connect to a particular port number. However this process is symmetrical, before you can connect to an external port on an external machine, you have to connect to a local port on the local machine. Now port numbers are usually broken into 2 main ranges. Low numbered ports listen for incoming connections. However, when you want to make an outgoing connection, you bind to a high numbered port. Certain low numbered ports are reserved for certain services. Eg. 80 is for http, 22 for ssh, 443 for https. So what happens when you make a web connection to https://fastmail.fm? it does something like: 1. Your computer binds to a free high port number (eg 1779) 2. It then binds the other end to 443 on fastmail.fm 3. It sends the web request across 4. fastmail sends the response back But if you look at the firewall output, it incorrectly blocked the response data! Quote:
Given Onno is a network engineer, he might have more thoughts Rob PS. The bitquator comments were just a joke. There's no such tagline and definitely no such policy! |
|
7 Aug 2003, 07:05 PM | #10 |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
There were a lot of updates for the McAfee Firewall program recently. It must be a bug in one of their recent updates because I have had McAfee running on my PC for quite some time and this hadn't happened to me before. So the chances are that they will correct it at their end as soon as they become aware of it because it maybe happening to some other sites as well.
I knew it had to be some sort of a mistake when I saw McAfee's Visual Trace tool identifying the port scan attacker as fastmail.fm but it might scare off some new potential customers that are not familiar with the fastmail.fm company. |
7 Aug 2003, 07:20 PM | #11 |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
I can't recreate the same problem again. I went to the fastmail site by selecting http://www.rushpost.com from my IE favorites and was selecting an entry in my Notepad when it happened earlier. The same steps doesn't trigger the firewall now.
|
7 Aug 2003, 11:02 PM | #12 | |
Cornerstone of the Community
Join Date: Nov 2002
Location: Amsterdam
Posts: 753
|
Quote:
|
|
8 Aug 2003, 01:53 AM | #13 |
The "e" in e-mail
Join Date: Apr 2003
Location: USA
Posts: 2,978
|
D'oh I'm really sorry to have caused confusion Yes I was definitely just kidding around (I love FM)... My funny bone strikes me at the most inappropriate times and places...
|
8 Aug 2003, 05:56 PM | #14 |
Essential Contributor
Join Date: Jun 2002
Location: AU
Posts: 471
|
bitequator, I thought you were!!!
|
9 Aug 2003, 10:26 AM | #15 |
Master of the @
Join Date: Apr 2002
Location: California, USA
Posts: 1,597
|
bitequator, I thought so too but for a moment I wasn't sure because I don't know what type of tag-lines FM has since I don't have any guest accounts. Sometime ago there was a banner ad on this forum claiming that FM hates banner ads. It was kind of hypocrisy. If FM hates banner ads then then FM should also refrain from banner ads. So I just won't sure whether FM really had such a tag-line. Actually there is nothing wrong with banner ads. The real annoyance is only with popup ads. Claiming to hate popup ads would have been more appropriate. Banner ads and text ads do support the availability of free services to a lot of people who would otherwise be unable to enjoy such services.
|