newsbin.com

[ross1999]

Can a server redirect newsbin 651 to connect directly to another server? This appears to be what I'm seeing, only in this case I'm seeing newsbin talking to what may or may not be servers, most likely not. I can explain further, but I'd like to know first if this is technically possible?

[Quade]

Most likely you're just mis-interpreting the log messages. If you see different servers listed while downloading you're probably looking at the message-id which is likely listing the server the files were posted to, not the servers you're downloading from.

Usenet has no re-direct. It pre-dates the web, Some of your news servers will have multiple front ends so, there might be multiple IP's used to connect but, they're all IP's for the server you specified in the options. AW for instance has multiple front ends and uses round robin DNS to spread the load.

[ross1999]

Thanks for the response. I started to go into a complex explanation but I'm going to keep it simple. I'm looking at tcp connections in Resource Monitor on Win 7, and I'm seeing Newsbin connected to IPs it should not be talking to. I'm thinking there is some mechanism for the server to tell Newsbin to connect to a particular IP and download from there, for each channel Newsbin wants to open, and Newsbin connects to it. Newsbin does not block servers from redirecting the newsreader to other servers. Is that right? So if the server is for some reason, possibly legit, telling the news reader to switch one or more connections to another ip, e.g. off to another server perhaps operated by another company, that's not a problem. Right? That's my question.

[itimpi]

I just checked my own system - and Resource Monitor only shows Newsbin connected to the expected news servers (various Astraweb servers). I also see Newsbin listening on port 118 which is what I have set for the Newsbin Remote Control feature (which I use) so that is also expected. The only other connection I can see is at initial startup a temporary connection to the Newsbin servers (I assume to check for a new MOTD as I have that feature enabled).

If you have more connections that this in normal running it certainly sounds suspicious. Your description of what you are seeing does sound a bit like it could be malware behaviour from your description. Are any of these unexpected connections actually showing activity (i.e. transferring data) or are they quiescent?

It might be worth doing some sort of controlled test? Something like initially configuring Newsbin by switching off MOTD under Options->Advanced, and then switching off all servers but 1 and setting that to use a single connection to see what connections are active in such a scenario. If that looks OK then you could gradually enable more servers to see if the unexpected connections arise at any particular point. If you have the capability of running Virtual Machines's Using something like VMware or VirtualBox) this could be done under a freshly set-up VM to be confident it is a clean system.

[Quade]

Newsbin does not block servers from redirecting the newsreader to other servers. Is that right? So if the server is for some reason, possibly legit, telling the news reader to switch one or more connections to another ip, e.g. off to another server perhaps operated by another company, that's not a problem. Right? That's my question.

1 - There is no "re-direction" in usenet. The news server can't tell Newsbin to connect to a different server. Re-direction is an HTTP thing. Usenet is NNTP. The news server doesn't tell Newsbin anything. Usenet is like old email. Newsbin connects, sends commands, downloads and then disconnects. The only thing that tells newsbin what to connect to is DNS.

2 - If you're using our search, Newsbin will also be connecting to the search server over SSL every time you search or add a download to the download list. It's either searching or it's pulling the NZB for the files your want to download.

If your DNS is compromised, the DNS can make Newsbin connect to other servers.

>
news.astraweb.com
Server: [8.8.8.8]
Address: 8.8.8.8

Non-authoritative answer:
Name: news.astraweb.com
Addresses: 207.246.207.159
216.151.153.163
216.151.153.44
216.151.153.16
8.17.249.105
8.17.249.100
207.246.207.32
8.17.249.104

This is how many server front ends Astra has. Newsbin can be connected to all of them at once depending on how things worked out. I don't know what news servers you use but, if it's like AW and has multiple front end, this is normal.

[ross1999]

Thank you both for the info and suggestions. My system has BitDefender and Malwarebytes, I doubt it's infected, and to my knowledge never has been. I keep a weather eye on it, and disconnect from the net when I'm not using it. What I'm seeing is strictly to do with Newsbin, which I only dl'd a few days ago from this site.

I did the test you suggested itimpi and determined that my fill server is most likely who these odd servers are associated with. Newsbin is definately connecting to domains or IPs which you would not think would be associated with usenet servers. I spent some time getting into that today. However it seems off topic to go into that. If newsbin relies on DNS tables to connect, then no news server is going to be any safer to use, and if there really is a problem, it seems likely to be with the provider or with the network.

There is another thing however. I don't know if it's related but it's odd. Is there an issue with data counts? The other day when I started wondering about this, Newsbin says I downloaded 26GBs from my main provider. I knew when I read that number it was not correct, just because I've been dl'g a long time. When I checked my provider's count, it said 10 GB, which is more like it. Today I checked it, Newsbin says 32 GB, provider says 14. Not the same ratio, interestingly, but still high.

[itimpi]

Were you downloading a lot of headers?

Because of the way that Newsbin handles headers the size of headers is counted as the uncompressed size. If your server supports compressing headers (e.g. Astraweb does) and you have this enabled in your Newsbin settings then you may be getting something like a 10-1 ration between uncompressed size (which is what the server counts) and the uncompressed size Newsbin uses.

I guess this is something of a legacy from the days before servers supported header compression. Maybe Quade should look at changing it to always use the data size at the network level?

[Quade]

If newsbin relies on DNS tables to connect, then no news server is going to be any safer to use, and if there really is a problem, it seems likely to be with the provider or with the network.

The whole internet works off of DNS so, I'm not sure what you're suggesting. If you want to lock Newsbin down to a single IP, enter the IP into the server address field. If you want best performance, let it round-robin.


Edit: If you happen to see it, ignore my mini-rant. I hadn't had my soda yet.

[ross1999]

Do transfers using NBRemote alter server statistics in any way? I'm thinking that the strange connections I saw which I assumed were connected to Newsbin as servers, were perhaps connected as remote controllers. Since the remote is a tcp connection I assume they would show up in the tcp connections list. Moreover, when I was using Newsbin, I thought things were appearing in my download list, but then wasn't sure if I put them there by accident somehow. Since I never used NBRemote, it didn't occur to me to even think about it -- now I'm wondering.

I was using a VPN connection, so all the servers were connected through that. The download and upload counts through the VPN match the servers. My ISP on the other hand seems to agree with Newsbin, and includes the extra 16 GB and then some, so the difference might be made up by a transfer initiated by the remote system and transferring data outside my VPN. Unfortunately I have not gotten my ISP to verify the excess was an upload, but I'm working on that. In terms of NBRemote, is that possible? Could it be adding data xferred to a remote system to the server download count?

[Quade]

I'm thinking that the strange connections I saw which I assumed were connected to Newsbin as servers, were perhaps connected as remote controllers.

1 - Do you have a router on your internet? If so, nothing on the internet should be able to connect to Newsbin. If not, then you're just asking for trouble.

2 - The remote interface can be enabled or disabled in the options. If you're exposed to the internet, I'd disable it.

3 - The VPN might be exposing you to attack from the internet. It's might effectively be bypassing your router. I wouldn't use a VPN unless you have a specific reason to. I'd disable remote if you're using the VPN. The remote interface should be password protected but, that won't prevent people from connecting to it if you expose it to the internet. They shouldn't be able to do anything even if they connect without the password.

It is possible to download files from your PC to someone else through the remote interface. Remote uses port 118 by default, it's trivial to then see if someone is connected to that port.

netstat -ant

[Quade]

I talked to someone more knowledgeable than me about VPN's. He's says it's possible to connect to Newsbin through a VPN but, that most commercial VPN providers prevent it from happening. That when you use a commercial VPN, it's outbound only meaning people can't connect to your VPN IP from the internet.