Return-Path: Received: from post.thorcom.com (post.thorcom.com [195.171.43.25]) by mtain-da01.r1000.mx.aol.com (Internet Inbound) with ESMTP id 37D8E3800009C; Tue, 24 Jan 2012 16:44:40 -0500 (EST) Received: from majordom by post.thorcom.com with local (Exim 4.14) id 1Rpo9Z-0007Cm-G0 for rs_out_1@blacksheep.org; Tue, 24 Jan 2012 21:43:45 +0000 Received: from [195.171.43.32] (helo=relay1.thorcom.net) by post.thorcom.com with esmtp (Exim 4.14) id 1Rpo9Y-0007Cd-NX for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 21:43:44 +0000 Received: from rhcavuit02.kulnet.kuleuven.be ([134.58.240.130] helo=cavuit02.kulnet.kuleuven.be) by relay1.thorcom.net with esmtp (Exim 4.63) (envelope-from ) id 1Rpo9V-0001M4-UJ for rsgb_lf_group@blacksheep.org; Tue, 24 Jan 2012 21:43:44 +0000 X-KULeuven-Envelope-From: rik.strobbe@fys.kuleuven.be X-KULeuven-Scanned: Found to be clean X-KULeuven-ID: F3622128049.A5AFA X-KULeuven-Information: Katholieke Universiteit Leuven Received: from smtps02.kuleuven.be (smtpshost02.kulnet.kuleuven.be [134.58.240.75]) by cavuit02.kulnet.kuleuven.be (Postfix) with ESMTP id F3622128049 for ; Tue, 24 Jan 2012 22:43:32 +0100 (CET) Received: from ICTS-S-HUB-N3.luna.kuleuven.be (icts-s-hub-n3.luna.kuleuven.be [10.112.9.13]) by smtps02.kuleuven.be (Postfix) with ESMTP id D124EF3863 for ; Tue, 24 Jan 2012 22:43:32 +0100 (CET) Received: from ICTS-S-EXC2-CA.luna.kuleuven.be ([10.112.11.13]) by ICTS-S-HUB-N3.luna.kuleuven.be ([10.112.9.13]) with mapi; Tue, 24 Jan 2012 22:43:32 +0100 X-Kuleuven: This mail passed the K.U.Leuven mailcluster From: Rik Strobbe To: "rsgb_lf_group@blacksheep.org" Date: Tue, 24 Jan 2012 22:42:06 +0100 Thread-Topic: LF: A bit off topic Thread-Index: Acza2trctRJ+0rzyQrCok5+H4AjQAAAAydYIAADAkbY= Message-ID: References: <4F08AF8F.6080108@broadpark.no> <4F1C2EDA.6695.B772FA7@mike.dennison.ntlworld.com> <006301ccda2c$b174cda0$145e68e0$@broadpark.no> <004b01ccdad4$0b38b750$21aa25f0$@broadpark.no>,, In-Reply-To: Accept-Language: nl-NL, nl-BE Content-Language: nl-BE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: nl-NL, nl-BE MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: autolearn=disabled,HTML_MESSAGE=0.001 Subject: RE: LF: A bit off topic Content-Type: multipart/alternative; boundary="_000_BF4A524700075746A6467658DFC7102CB0B68CCD3BICTSSEXC2CAlu_" X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on post.thorcom.com X-Spam-Level: X-Spam-Status: No, hits=0.6 required=5.0 tests=HTML_20_30, HTML_FONTCOLOR_UNSAFE,HTML_MESSAGE,TO_ADDRESS_EQ_REAL autolearn=no version=2.63 X-SA-Exim-Scanned: Yes Sender: owner-rsgb_lf_group@blacksheep.org Precedence: bulk Reply-To: rsgb_lf_group@blacksheep.org X-Listname: rsgb_lf_group X-SA-Exim-Rcpt-To: rs_out_1@blacksheep.org X-SA-Exim-Scanned: No; SAEximRunCond expanded to false x-aol-global-disposition: G X-AOL-SCOLL-SCORE: 0:2:371395968:93952408 X-AOL-SCOLL-URL_COUNT: 0 x-aol-sid: 3039ac1d40494f1f264829d4 X-AOL-IP: 195.171.43.25 X-AOL-SPF: domain : blacksheep.org SPF : none --_000_BF4A524700075746A6467658DFC7102CB0B68CCD3BICTSSEXC2CAlu_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable It seems too late in the evening for me to type decent English. Sorry for a= ll the typo's. ________________________________ Van: owner-rsgb_lf_group@blacksheep.org [owner-rsgb_lf_group@blacksheep.org= ] namens Rik Strobbe [Rik.Strobbe@fys.kuleuven.be] Verzonden: dinsdag 24 januari 2012 22:35 Aan: rsgb_lf_group@blacksheep.org Onderwerp: RE: LF: A bit off topic Hello Roger, one of the things that happen via 88.14.57.81 (=3D antiarrl.dyndns.org, seems that some is not happy with a certain radio = amateur society) is the upgrade notification. But I have the strong impression that there is mich more info transferred t= o this URL, looks like big brother is watching. Also the fact that the user= cannot decide wether he wants an internet connection to Opera or not makes= it suspicious to me. Anyway, I blocked it via the Windows (Vista) firewall. For those who are no= t familiar with the firewall here is a "howto": http://www.ehow.com/how_5422923_block-= ip-address-computer.html. Via the firewall you can also block any internet communication to Opera (in= coming and/or outgoing): no reports to (and/or from) pskreporter. And yes, all this hiding he code stuff is very un-radioamateur. 73, Rik ON7YD - OR7T ________________________________ Van: owner-rsgb_lf_group@blacksheep.org [owner-rsgb_lf_group@blacksheep.org= ] namens Roger Lapthorn [rogerlapthorn@gmail.com] Verzonden: dinsdag 24 januari 2012 21:55 Aan: rsgb_lf_group@blacksheep.org Onderwerp: Re: LF: A bit off topic Are we sure this isn't a way for the program to check for upgrade notificat= ions from its Spanish creator? Here I have not re-installed OPERA since I had PC load problems a few weeks= ago when running an earlier version. It still sounds not yet fully proven = or spyware free. A pity as it looks a useful program. I wish Joe K1JT had w= ritten it and then we would have total openness and confidence. 73s Roger G3XBM On 24 January 2012 20:09, Steinar Aanesland > wrote: Mike By the way , this "calling home" mechanism seems to be incorporated in the = latest ROS version too . Same remote Address 88.14.57.81 , same remote Port 8001 and same remote ho= st antiarrl.dyndns.org My advice is to install a firewall that checks outgoing traffic, such as z= onealarm http://www.zonealarm.com/ when playing with this kind of software. LA5VNA S -----Original Message----- From: owner-rsgb_lf_group@blacksheep.org [mailto:owner-rsgb_lf_group@blacksheep.org] On Behalf Of Steinar Aanesland Sent: 24. januar 2012 01:11 To: rsgb_lf_group@blacksheep.org Subject: RE: LF: A bit off topic Hi Mike Thanks for your reply. I know the mechanism that allows Symantec to stop a= n unknown application, but I don't think this is the reason this time. As you probably know, Symantec 12.1 has a mechanism called sonar. Sonar ana= lyzes applications as they are running and takes action once enough evidence has been gathered to convict the application of being = malware, based upon its behavior. I think sonar was trigged by some strange network behavior. To test my theo= ry, I turned off the sonar funktion, and made a packet sniffing on the network when Opera started. Opera made a connection to the following ip addresses: Cluster reporter: ----------- TCP Remote Address 176.31.252.203 Local Port 3739 Remote Port 8000 Local Host Remote Host Service Name Nameservers ns.dxfuncluster.com The Opera chat channel: ---------- TCP Remote Address 66.220.151.99 Local Port 1060 Remote Port 5222 Local Host Remote Host Service Name Reverse DNS jabber-03-01-tfbnw.net snc6. http://www.plotip.com/ip/66.220.151.99 The first two addresses may been explained by the cluster and chat function= in Opera, but I can't find any connection in the software to the last address : ---------- TCP Remote Address 88.14.57.81 Local Port 3740 Remote Port 8001 Local Host Remote Host antiarrl.dyndns.org IP address country: Spain IP address state: Murcia IP address city: San Javier And why opera is trying to transfer the following string "1 #### #### ####"= to "ANTIARRL.DYNDNS.ORG located some place in= Spain is a mystery. My conclusion is to leave this software alone. 73 de la5vna Steinar -----Original Message----- From: Mike Dennison [mailto:mike.dennison@ntlworld.com] Sent: 22. januar 2012 16:44 To: Steinar Aanesland Subject: Re: LF: A bit off topic Steinar, I have only now read your message. Are you still having problems? My version of Norton/Symantec deleted Opera when I ran it. It decided that,= because it did not know about the software, it was therefore suspicious. It is possible to configure Norton to ignore some fil= es or folders, and that was my fix. If you need details I will try to remember how I did it. 73 de Mike, G3XDV ----------------------------- > I know this is a bit off topic, but is there anyone her using Symantec > Endpoint Protection ver 12.1 ? > > I am trying to use a new ham software but my antivirus see this > software as a risk. > > la5vna Steinar > > > > > > -- http://qss2.blogspot.com/ http://g3xbm-qrp.blogspot.com/ http://www.g3xbm.co.uk https://sites.google.com/site/sub9khz/ --_000_BF4A524700075746A6467658DFC7102CB0B68CCD3BICTSSEXC2CAlu_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
It seems too late in the evening for me to type decent English. Sorry for all the typo's.
=  
Van: owner-rsgb_l= f_group@blacksheep.org [owner-rsgb_lf_group@blacksheep.org] namens Rik Stro= bbe [Rik.Strobbe@fys.kuleuven.be]
Verzonden: dinsdag 24 januari 2012 22:35
Aan: rsgb_lf_group@blacksheep.org
Onderwerp: RE: LF: A bit off topic

Hello Roger,
 
one of the things that happen via = 88.14.57.81 (=3D antiarrl.dyndns.org, seems that som= e is not happy with a certain ra= dio amateur society) is the upgrade notification.
But I have the strong impression&n= bsp;that there is mich more info transf= erred to this URL, looks like big brother is watching. Also the fa= ct that the user cannot decide&n= bsp;wether he wants an internet connection to Opera or not makes it suspicious = to me.
Anyway, I blocked it via the Windows (V= ista) firewall. For those who are not&n= bsp;familiar with the firewall here is a &qu= ot;howto": http://www.ehow.com/how_5422923_block-ip-addre= ss-computer.html.
Via the firewall you can also = ;block any internet communication to Opera (= incoming and/or outgoing): no reports to (= and/or from) pskreporter.
And yes, all this hiding he= code stuff is very un-radioamateur.
 
73, Rik  ON7YD - OR7T
=  
Van: owner-rsgb_l= f_group@blacksheep.org [owner-rsgb_lf_group@blacksheep.org] namens Roger La= pthorn [rogerlapthorn@gmail.com]
Verzonden: dinsdag 24 januari 2012 21:55
Aan: rsgb_lf_group@blacksheep.org
Onderwerp: Re: LF: A bit off topic

Are we sure this isn't a way for the program to check for upgrade noti= fications from its Spanish creator?

Here I have not re-installed OPERA since I had PC load problems a few weeks= ago when running an earlier version. It still sounds not yet fully proven = or spyware free. A pity as it looks a useful program. I wish Joe K1JT had w= ritten it and then we would have total openness and confidence.

73s
Roger G3XBM



On 24 January 2012 20:09, Steinar Aanesland <saanes@broadpark.no> wrote:
Mike

By the way , this "calling home" mechanism seems to be incorporat= ed in the latest ROS version too .
Same  remote Address 88.14.57.81 , same remote Port 8001 and same remo= te host antiarrl.dyndns.org

My advice is to install a firewall that checks outgoing traffic,  such= as zonealarm http://www.zonealar= m.com/  when playing with
this kind of software.

LA5VNA S




-----Original Message-----
From: owner-rsgb_lf_g= roup@blacksheep.org [mailto:owner-rsgb_lf_group@blacksheep.org] On Behalf Of Steinar Aan= esland
Sent: 24. januar 2012 01:11
To: rsgb_lf_group@blackshee= p.org
Subject: RE: LF: A bit off topic

Hi Mike

Thanks for your reply.  I know the mechanism that allows Symantec to s= top an unknown application, but I  don't think this is the
reason this time.
As you probably know, Symantec 12.1 has a mechanism called sonar. Sonar ana= lyzes applications as they are running and takes action
once enough evidence has been gathered to convict the application of being = malware, based upon its behavior.

I think sonar was trigged by some strange network behavior. To test my theo= ry, I turned off the sonar funktion,  and made a packet
sniffing on the network when Opera started.

Opera  made a connection to the following ip addresses:

Cluster reporter:
-----------
TCP
Remote Address 176.31.252.203
Local Port 3739
Remote Port 8000
Local Host
Remote Host
Service Name
Nameservers ns.dxf= uncluster.com


The Opera chat channel:
----------
TCP
Remote Address 66.220.151.99
Local Port 1060
Remote Port 5222
Local Host
Remote Host
Service Name
Reverse DNS jab= ber-03-01-tfbnw.net snc6.
http:/= /www.plotip.com/ip/66.220.151.99




The first two addresses may been explained by the cluster and chat function= in Opera,   but I can't find any connection in the
software to the last address :
----------
TCP
Remote Address 88.14.57.81
Local Port 3740
Remote Port 8001
Local Host
Remote Host antiar= rl.dyndns.org
IP address country: Spain
IP address state: Murcia
IP address city: San Javier

And why opera is trying to transfer the following string "1 #### #### = ####"  to "ANTIARRL.DYNDNS.ORG located some place in Spain is
a mystery.

My conclusion is to leave this software alone.

73 de la5vna Steinar
















































-----Original Message-----
From: Mike Dennison [mailto:m= ike.dennison@ntlworld.com]
Sent: 22. januar 2012 16:44
To: Steinar Aanesland
Subject: Re: LF: A bit off topic

Steinar,

I have only now read your message. Are you still having problems?

My version of Norton/Symantec deleted Opera when I ran it. It decided that,= because it did not know about the software, it was
therefore suspicious. It is possible to configure Norton to ignore some fil= es or folders, and that was my fix. If you need details I
will try to remember how I did it.

73 de Mike, G3XDV
-----------------------------

> I know this is a bit off topic, but is there anyone her using Symantec=
> Endpoint Protection ver 12.1 ?
>
> I am trying to use a new ham software but my antivirus see this
> software as a risk.
>
> la5vna Steinar
>
>
>
>
>
>











--
http://qss2.blogspot.com/
http://g3xbm-qrp.blogspot.com/
http://www.g3xbm.co.uk
https:= //sites.google.com/site/sub9khz/


--_000_BF4A524700075746A6467658DFC7102CB0B68CCD3BICTSSEXC2CAlu_--