The Case of Port 110 and 25

About a month ago, my manager asked me for some help in interpreting the results from a scan she had run using Foundstone Superscan. She is in a security course as part of her Master’s degree at GW. The scan results strangely showed port 110 and 25 open. This didn’t make any sense to me. These ports shouldn’t be open on a end user’s desktop or laptop. I used SuperScan on my own desktop and laptop and obtained the same result. I tried to verify the results with Nmap but it kind of bombed out on me. Next,I looked at the most recent STAT results and saw that it too was seeing those ports opened. Multiple scanners agreed the ports were opened, but I couldn’t determine why.
I tried to connect to the ports manually using telnet and netcat but no banner was displayed. It looked to me like I was not able to connect to the port. This remained a mystery unsolved until this week. I was at a HIPS seminar put on by Third Brigade and I read the readme for their product. It reported that Norton Antivirus will cause 110 and 25 to appear to be open because of the way it proxies those connections so it can scan Internet Email. I cant find confirmation in the Symantec Knowledge Base, but I have found confirmation through a writeup from GFI.
Shouldn’t Symantec only be proxying outbound requests? This internet mail scanner plugin is intended to be only on end user computers. By answering requests from external scanners, they are opening the computer to any vulnerability in their SMTP and POP scanning service. Defense in depth would use a personal firewall to block such access.
This SMTP scanner seems to be more trouble than its worth. We’ve had issues sending email to some mail servers with it enabled. I’m going to post later about my experience with SMTP over SSL and this scanner. The computer will be protected by the File System Real Time Protection. This Internet Mail protection does little but preserve a clean inbox.