The Dude seems to like an imap4 service a lot. It does find it on strange boxes.
What is this?
IMAP4 ? It is a mail protocol:
http://www.answers.com/main/ntquery?method=4&dsid=1512&dekey=IMAP4&curtab=1512_1&linktext=IMAP4
Yeah, I doubt that random Linksys WET11 or Motorola WE800G or even the Mikrotik RB532 has the imap4 service running.
I suspect the Dude has some troubles with detection of a service and that is why it will tend to come up with the imap4 service all over the place.
http://ragana.sauenet.ee/minu_vork2.pdf
yes, that’s really odd. we will investigate. thanks
of course you can manually try to see if port 143 is open on those devices,
but i suspect that you might have some kind of destination NAT in the way
between dude server and those boxes
My internal network runs on plain old routing and there is NAT only at the exit of the whole LAN.
Does the MikroTik running on RB532 has the imap4 running?
On my network one of the MikroTiks has following addresses:
192.168.18.1
192.168.16.1
192.168.25.1
192.168.6.1
192.168.20.1
These addresses are attached to the same device, but yet the Dude will find imap4 running on 192.168.18.1 and 192.168.20.1.
[ivo@sarmax ~]$ nmap 192.168.20.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-05-12 19:50 EEST
Interesting ports on ranume_l1 (192.168.20.1):
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
2000/tcp open callbook
3986/tcp open mapper-ws_ethd
9876/tcp open sd
Nmap finished: 1 IP address (1 host up) scanned in 6.065 seconds
[ivo@sarmax ~]$ nmap 192.168.18.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-05-12 19:51 EEST
Interesting ports on hor (192.168.18.1):
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
2000/tcp open callbook
3986/tcp open mapper-ws_ethd
9876/tcp open sd
Nmap finished: 1 IP address (1 host up) scanned in 6.470 seconds
[ivo@sarmax ~]$ nmap 192.168.16.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-05-12 19:51 EEST
Interesting ports on ranume (192.168.16.1):
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
2000/tcp open callbook
3986/tcp open mapper-ws_ethd
9876/tcp open sd
Nmap finished: 1 IP address (1 host up) scanned in 12.490 seconds
[ivo@sarmax ~]$ nmap 192.168.25.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-05-12 19:51 EEST
Interesting ports on kuid (192.168.25.1):
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
2000/tcp open callbook
3986/tcp open mapper-ws_ethd
9876/tcp open sd
Nmap finished: 1 IP address (1 host up) scanned in 5.257 seconds
[ivo@sarmax ~]$ nmap 192.168.6.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-05-12 19:51 EEST
Interesting ports on bru (192.168.6.1):
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
2000/tcp open callbook
3986/tcp open mapper-ws_ethd
9876/tcp open sd
Nmap finished: 1 IP address (1 host up) scanned in 12.187 seconds
[ivo@sarmax ~]$ nmap 192.168.20.1
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-05-12 19:51 EEST
Interesting ports on ranume_l1 (192.168.20.1):
(The 1669 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
2000/tcp open callbook
3986/tcp open mapper-ws_ethd
9876/tcp open sd
Nmap finished: 1 IP address (1 host up) scanned in 6.606 seconds
[ivo@sarmax ~]$
Same here, imap where it should not be. Though, I’ve noticed something else, quite a few revisions ago. I’ve installed exactly the same version of Dude using the same (default) install options on two computers, one running WinXP with previous Dude installs removed, and the fresh one, with no previous Dude installs, running Win 2K. The first computer appeared normal, Dude as I’m accustomed it to be (aforementioned IMAP problem included).
The second computer never reported ghost imap services, and there’s more to it: it had icons/graphics for all predefined server types (mikrotik, router, web server, etc.) automagically added after detection. I’ve never seen any predefined graphics in Dude before or after, even using the same install package!
That’s when it hit me - should Dude always be like that one? Are those graphic elements included in all versions, but remain hidden? This was one case in few dozen installs, and later upgrades on that very same W2K machine all reported ghost imaps (and graphics were never to be seen again).
So I have to ask you one question: do you see graphics? 
what? of course they (detected devices) should always appear as graphical icons, representing the device type. they do not appear if you do not do the services scan. uldis will clarify
Well, seems like missing icons problem is finally solved in the latest release candidate. Just tried fresh rc9 install, and icons worked… nice. Then I reverted back to rc8 and - nah, no icons. Back to rc9 again, and - bingo, seems like icons are here to stay! What bugs me the most is how come no one else noticed this?
Anyway, back to topic - imap4 ghosts are not exorcised with rc9. Here is the result of my first scan using rc9 (mikrotik host scanned):
From 1.0rc9 changelog:
*) installation with ‘reset config’ checked did not install default files
this is about default icons as well.
About IMAP4: dude uses the same code for probing any TCP service - its
generic, no matter if its telnet, ftp, smtp or imap. Were you running dude
server on same computer from which you were doing nmap? If not try making
‘telnet x.x.x.x 143’ from command line from same computer where dude server
is running and see if connection attempt succeeds. Tell us the results.
From one address:
* BYE [ALERT] Cannot connect to IMAP server 192.168.2.7 (192.168.2.7:143), conn
ect error 10061
Connection to host lost.
NMAP within the target host:
[root@ragana ~]# nmap localhost
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-05-23 14:56 EEST
Interesting ports on localhost (127.0.0.1):
(The 1665 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
113/tcp open auth
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3128/tcp open squid-http
Nmap finished: 1 IP address (1 host up) scanned in 0.236 seconds
[root@ragana ~]#
Where does this message comes from?
Target host or local?
you have a too smart telnet client. the idea was not to make it connect with imap, but try telnet to the imap’s port and see what it says. we will research why dude finds these .
It is the telnet what the WinXP Pro is shipped with.
Do you have any other I can try with?
apparently then you DO have some imap port open, because I see a different error on windows xp:
C:\Documents and Settings\Administrator>telnet demo2.mt.lv 143
Connecting To demo2.mt.lv...Could not open connection to the host, on port 143:
Connect failed
What is this “some imap port”?
I suspect the Windows just thinks that there is an imap4 service running, but actually there is none.
From another box running Linux:
[ivo@haskaa ivo]$ telnet 192.168.2.7 143
Trying 192.168.2.7...
telnet: connect to address 192.168.2.7: Connection refused
telnet: Unable to connect to remote host: Connection refused
[ivo@haskaa ivo]$
Edit:
And the same Dude box booted into Linux:
[ivo@sarmax ~]$ telnet 192.168.2.7 143
Trying 192.168.2.7...
telnet: connect to address 192.168.2.7: Connection refused
telnet: Unable to connect to remote host: Connection refused
[ivo@sarmax ~]$
Well, this is weird… using linux, I’ve just tried this (10.44.6.1 = mikrotik):
x@node ~$ telnet 10.44.6.1 143
Trying 10.44.6.1...
telnet: Unable to connect to remote host: Connection refused
What actually happens is here:
root@node ~# tcpdump -nv |grep 10.44.6.1.143
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
03:48:58.756930 IP (tos 0x10, ttl 64, id 51057, offset 0, flags [DF], length: 60) 10.44.6.10.37343 > 10.44.6.1.143: S [tcp sum ok] 257162961:257162961(0) win 5840 <mss 1460,sackOK,timestamp 17709472 0,nop,wscale 0>
03:48:58.757177 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], length: 40) 10.44.6.1.143 > 10.44.6.10.37343: R [tcp sum ok] 0:0(0) ack 257162962 win 0
I’ve also tried using port 144, with the same result:
root@node ~# tcpdump -nv |grep 10.44.6.1.144
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
03:47:14.781602 IP (tos 0x10, ttl 64, id 12250, offset 0, flags [DF], length: 60) 10.44.6.10.37342 > 10.44.6.1.144: S [tcp sum ok] 160120537:160120537(0) win 5840 <mss 1460,sackOK,timestamp 17699075 0,nop,wscale 0>
03:47:14.781840 IP (tos 0x10, ttl 64, id 0, offset 0, flags [DF], length: 40) 10.44.6.1.144 > 10.44.6.10.37342: R [tcp sum ok] 0:0(0) ack 160120538 win 0
So, it rejects connection the same way for both ports. Anyway, Dude keeps reporting that 143 is up, and if I adjust Dude’s imap4 probe to use port 144, it reports service down. It does not find imap4 service on that linux box I’ve used for this testing. Windows telnet does the same thing Ivoshie reported for both linux box and mikrotik if using port 143, as does putty (another telnet client), too:
* BYE [ALERT] Cannot connect to IMAP server 10.44.6.1 (10.44.6.1:143), connect error 10061
Connection to host lost.
Using port 144, both telnet clients report just normal “connection refused”. Could it be that the same thing that makes telnet clients behave differently using port 143 is confusing Dude so it reports imap service where there’s none?
I always see the IMAP4 service come up as well, even on switches and Orthogon equipment. I always ignored it.
While reading this thread, I got an idea… Are you running an anti-virus program that does email scanning? I am running avast on that box. I haven’t had a chance to try it from different boxes (ones without the antivirus).
The local anti-virus scanner is probably answering the IMAP request from Dude as to allow for virus scanning, but because nothing it actually there, telnet never actually gets anywhere.
Quite right, tnx Hammy!
After disabling firewall and antivirus protection, Dude’s probes give expected results, with no ghost or missing services. Perhaps this should be noted somewhere in the manual.