Return-Path: Received: from post.thorcom.com (post.thorcom.com [195.171.43.25]) by mtain-de02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 7664B380000A0; Tue, 24 Jan 2012 17:44:27 -0500 (EST) Received: from majordom by post.thorcom.com with local (Exim 4.14) id 1Rpp5M-0007zk-AY for rs_out_1@blacksheep.org; Tue, 24 Jan 2012 22:43:28 +0000 Received: from [195.171.43.32] (helo=relay1.thorcom.net) by post.thorcom.com with esmtp (Exim 4.14) id 1Rpp5L-0007zb-LI for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 22:43:27 +0000 Received: from out1.ip05ir2.opaltelecom.net ([62.24.128.241]) by relay1.thorcom.net with esmtp (Exim 4.63) (envelope-from ) id 1Rpp5I-0001xo-OF for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 22:43:27 +0000 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkNbANoyH09Ok84x/2dsb2JhbABClD2EegOEYYgFAYY/T4EFgQaBbQUBAQQBCAEBA0kCJgYBAQMFAgEDBwoEAQEKHgcUAQQaBg0DBggGCgkKAQICAQGHawIGqGKPPIhxFQEfAgEWBhsCg0kKAQEIAwEBDQQMBYMpBIJbhTGFOJJch0s X-IronPort-AV: E=Sophos;i="4.71,564,1320624000"; d="scan'208,217";a="367862755" Received: from host-78-147-206-49.as13285.net (HELO xphd97xgq27nyf) ([78.147.206.49]) by out1.ip05ir2.opaltelecom.net with SMTP; 24 Jan 2012 22:43:17 +0000 Message-ID: <006b01ccdae9$8e88b1e0$0401a8c0@xphd97xgq27nyf> From: "mal hamilton" To: References: <4F08AF8F.6080108@broadpark.no><4F1C2EDA.6695.B772FA7@mike.dennison.ntlworld.com><006301ccda2c$b174cda0$145e68e0$@broadpark.no><004b01ccdad4$0b38b750$21aa25f0$@broadpark.no> Date: Tue, 24 Jan 2012 22:43:13 -0000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Spam-Score: 0.0 (/) X-Spam-Report: autolearn=disabled,HTML_MESSAGE=0.001 Subject: Re: LF: A bit off topic Content-Type: multipart/alternative; boundary="----=_NextPart_000_0068_01CCDAE9.8E13D000" X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on post.thorcom.com X-Spam-Level: X-Spam-Status: No, hits=0.6 required=5.0 tests=HTML_20_30, HTML_FONTCOLOR_UNSAFE,HTML_MESSAGE autolearn=no version=2.63 X-SA-Exim-Scanned: Yes Sender: owner-rsgb_lf_group@blacksheep.org Precedence: bulk Reply-To: rsgb_lf_group@blacksheep.org X-Listname: rsgb_lf_group X-SA-Exim-Rcpt-To: rs_out_1@blacksheep.org X-SA-Exim-Scanned: No; SAEximRunCond expanded to false x-aol-global-disposition: G X-AOL-SCOLL-SCORE: 0:2:365877536:93952408 X-AOL-SCOLL-URL_COUNT: 0 x-aol-sid: 3039ac1d40ca4f1f344a6143 X-AOL-IP: 195.171.43.25 X-AOL-SPF: domain : blacksheep.org SPF : none This is a multi-part message in MIME format. ------=_NextPart_000_0068_01CCDAE9.8E13D000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Roger I take it you are not keen on Opera ? I do not have these problems with CW or QRSS they are sure fire every = time. From what i read on here it has no advantage over QRSS but seems = to consume a lot of time discussing its merits, needs a severe dose of = anti virus medicine and devours your CPU GL de Mal/G3KEV ----- Original Message -----=20 From: Roger Lapthorn=20 To: rsgb_lf_group@blacksheep.org=20 Sent: Tuesday, January 24, 2012 8:55 PM Subject: Re: LF: A bit off topic Are we sure this isn't a way for the program to check for upgrade = notifications from its Spanish creator?=20 Here I have not re-installed OPERA since I had PC load problems a few = weeks ago when running an earlier version. It still sounds not yet fully = proven or spyware free. A pity as it looks a useful program. I wish Joe = K1JT had written it and then we would have total openness and = confidence. 73s Roger G3XBM On 24 January 2012 20:09, Steinar Aanesland = wrote: Mike By the way , this "calling home" mechanism seems to be incorporated = in the latest ROS version too . Same remote Address 88.14.57.81 , same remote Port 8001 and same = remote host antiarrl.dyndns.org My advice is to install a firewall that checks outgoing traffic, = such as zonealarm http://www.zonealarm.com/ when playing with this kind of software. LA5VNA S -----Original Message----- From: owner-rsgb_lf_group@blacksheep.org = [mailto:owner-rsgb_lf_group@blacksheep.org] On Behalf Of Steinar = Aanesland Sent: 24. januar 2012 01:11 To: rsgb_lf_group@blacksheep.org Subject: RE: LF: A bit off topic Hi Mike Thanks for your reply. I know the mechanism that allows Symantec to = stop an unknown application, but I don't think this is the reason this time. As you probably know, Symantec 12.1 has a mechanism called sonar. = Sonar analyzes applications as they are running and takes action once enough evidence has been gathered to convict the application of = being malware, based upon its behavior. I think sonar was trigged by some strange network behavior. To test = my theory, I turned off the sonar funktion, and made a packet sniffing on the network when Opera started. Opera made a connection to the following ip addresses: Cluster reporter: ----------- TCP Remote Address 176.31.252.203 Local Port 3739 Remote Port 8000 Local Host Remote Host Service Name Nameservers ns.dxfuncluster.com The Opera chat channel: ---------- TCP Remote Address 66.220.151.99 Local Port 1060 Remote Port 5222 Local Host Remote Host Service Name Reverse DNS jabber-03-01-tfbnw.net snc6. http://www.plotip.com/ip/66.220.151.99 The first two addresses may been explained by the cluster and chat = function in Opera, but I can't find any connection in the software to the last address : ---------- TCP Remote Address 88.14.57.81 Local Port 3740 Remote Port 8001 Local Host Remote Host antiarrl.dyndns.org IP address country: Spain IP address state: Murcia IP address city: San Javier And why opera is trying to transfer the following string "1 #### = #### ####" to "ANTIARRL.DYNDNS.ORG located some place in Spain is a mystery. My conclusion is to leave this software alone. 73 de la5vna Steinar -----Original Message----- From: Mike Dennison [mailto:mike.dennison@ntlworld.com] Sent: 22. januar 2012 16:44 To: Steinar Aanesland Subject: Re: LF: A bit off topic Steinar, I have only now read your message. Are you still having problems? My version of Norton/Symantec deleted Opera when I ran it. It = decided that, because it did not know about the software, it was therefore suspicious. It is possible to configure Norton to ignore = some files or folders, and that was my fix. If you need details I will try to remember how I did it. 73 de Mike, G3XDV ----------------------------- > I know this is a bit off topic, but is there anyone her using = Symantec > Endpoint Protection ver 12.1 ? > > I am trying to use a new ham software but my antivirus see this > software as a risk. > > la5vna Steinar > > > > > > --=20 http://qss2.blogspot.com/ http://g3xbm-qrp.blogspot.com/ http://www.g3xbm.co.uk https://sites.google.com/site/sub9khz/ ------=_NextPart_000_0068_01CCDAE9.8E13D000 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Roger
I take it you are not keen on Opera = ?
I do not have these problems with CW or QRSS = they are sure=20 fire every time. From what i read on here it has no advantage over QRSS = but=20 seems to consume a lot of time discussing its merits, needs a severe = dose of=20 anti virus medicine and devours your CPU
GL de Mal/G3KEV
 
----- Original Message -----
From:=20 Roger=20 Lapthorn
Sent: Tuesday, January 24, 2012 = 8:55=20 PM
Subject: Re: LF: A bit off = topic

Are we sure this isn't a way for the program to check = for=20 upgrade notifications from its Spanish creator?

Here I have = not=20 re-installed OPERA since I had PC load problems a few weeks ago when = running=20 an earlier version. It still sounds not yet fully proven or spyware = free. A=20 pity as it looks a useful program. I wish Joe K1JT had written it and = then we=20 would have total openness and confidence.

73s
Roger=20 G3XBM



On 24 January 2012 20:09, Steinar Aanesland = <saanes@broadpark.no> = wrote:
Mike

By=20 the way , this "calling home" mechanism seems to be incorporated in = the=20 latest ROS version too .
Same  remote Address 88.14.57.81 , = same=20 remote Port 8001 and same remote host antiarrl.dyndns.org

My advice is to = install a=20 firewall that checks outgoing traffic,  such as zonealarm http://www.zonealarm.com/=20  when playing with
this kind of software.

LA5VNA=20 S




-----Original Message-----
From: owner-rsgb_lf_group@bl= acksheep.org=20 [mailto:owner-rsgb_lf_group@bl= acksheep.org]=20 On Behalf Of Steinar Aanesland
Sent: 24. januar 2012 01:11
To: = rsgb_lf_group@blacksheep.org=
Subject:=20 RE: LF: A bit off topic

Hi Mike

Thanks for your reply. =  I=20 know the mechanism that allows Symantec to stop an unknown = application, but=20 I  don't think this is the
reason this time.
As you = probably=20 know, Symantec 12.1 has a mechanism called sonar. Sonar analyzes=20 applications as they are running and takes action
once enough = evidence=20 has been gathered to convict the application of being malware, based = upon=20 its behavior.

I think sonar was trigged by some strange = network=20 behavior. To test my theory, I turned off the sonar funktion, =  and made=20 a packet
sniffing on the network when Opera started.

Opera =  made a connection to the following ip = addresses:

Cluster=20 reporter:
-----------
TCP
Remote Address = 176.31.252.203
Local=20 Port 3739
Remote Port 8000
Local Host
Remote = Host
Service=20 Name
Nameservers ns.dxfuncluster.com


The Opera chat=20 channel:
----------
TCP
Remote Address = 66.220.151.99
Local Port=20 1060
Remote Port 5222
Local Host
Remote Host
Service=20 Name
Reverse DNS jabber-03-01-tfbnw.net snc6.
http://www.plotip.com/ip/66.220.151.99



The=20 first two addresses may been explained by the cluster and chat = function in=20 Opera,   but I can't find any connection in the
software to = the last=20 address :
----------
TCP
Remote Address = 88.14.57.81
Local Port=20 3740
Remote Port 8001
Local Host
Remote Host antiarrl.dyndns.org
IP address country: = Spain
IP=20 address state: Murcia
IP address city: San Javier

And why = opera is=20 trying to transfer the following string "1 #### #### ####"  to = "ANTIARRL.DYNDNS.ORG=20 located some place in Spain is
a mystery.

My conclusion is = to=20 leave this software alone.

73 de la5vna=20 = Steinar














































-----Original=20 Message-----
From: Mike Dennison [mailto:mike.dennison@ntlworld.com= ]
Sent:=20 22. januar 2012 16:44
To: Steinar Aanesland
Subject: Re: LF: A = bit off=20 topic

Steinar,

I have only now read your message. Are = you=20 still having problems?

My version of Norton/Symantec deleted = Opera=20 when I ran it. It decided that, because it did not know about the = software,=20 it was
therefore suspicious. It is possible to configure Norton = to ignore=20 some files or folders, and that was my fix. If you need details = I
will=20 try to remember how I did it.

73 de Mike,=20 G3XDV
-----------------------------

> I know this is a = bit off=20 topic, but is there anyone her using Symantec
> Endpoint = Protection=20 ver 12.1 ?
>
> I am trying to use a new ham software but = my=20 antivirus see this
> software as a risk.
>
> = la5vna=20 = Steinar
>
>
>
>
>
>









--
http://qss2.blogspot.com/
http://g3xbm-qrp.blogspot.com/
http://www.g3xbm.co.uk
https://sites.google.com/site/sub9khz/

=
------=_NextPart_000_0068_01CCDAE9.8E13D000--