main shortcuts

Port 25 Details

known port assignments and vulnerabilities

threat/application/port search:

Port(s)	Protocol	Service	Details	Source
25	tcp	SMTP	SMTP (Simple Mail Transfer Protocol). Many worms contain their own SMTP engine and use it to propagate by mass-mailing the payload, often also spoofing the "From: ..." field in emails. If you are not running a mail server that you're aware of, there is a possibility your system is infected. Integer overflow in Apple Safari [CVE-2010-1099], Arora [CVE-2010-1100], Alexander Clauss iCab [CVE-2010-1101], OmniWeb [CVE-2010-1102], Stainless [CVE-2010-1103] allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25. List of some trojan horses/backdoors that use this port: Ajan, Antigen, Barok, Email Password Sender - EPS, EPS II, Gip, Gris, Happy99, Hpteam mail, Hybris, I love you, Kuang2, Magic Horse, MBT (Mail Bombing Trojan), Moscow Email trojan, Naebi, NewApt worm, ProMail trojan, Shtirlitz, Stealth, Tapiras, Terminator, WinPC, WinSpy, Aji, Email Worms, Haebu Coceda, Loveletter, Neabi, Shtrilitz. W32.Sober.I@mm [Symantec-2004-111900-1451-99] (2004.11.19) - mass-mailing worm that uses its own SMTP engine. Affects all current Windows versions. Checks network connectivity by contacting a NTP server on port 37/tcp. Trojan.Mitglieder.R [Symantec-2005-070117-2559-99] (2005.07.01) - trojan with backdoor capabilities. It runs a SOCKS4 proxy server and periodically contacts websites with information about the compromised computer. Attempts to open a back door on port 9040/tcp. Might also initiate a SMTP spam relay server on port 25/tcp. W32.Beagle.CX@mm [Symantec-2005-121511-1751-99] (2005.12.15) - mass-mailing worm that uses its own SMTP engine to spread Trojan.Lodear.E [Symantec-2005-110111-3344-99]. Also opens a backdoor on port 80/tcp and lowers security settings on the compromised computer. Backdoor.Rustock [Symantec-2006-060111-5747-99] (2006.06.01) - backdoor program that allows the compromised computer to be used as a proxy, uses rootkit techniques to hide its files and registry entries. NJStar Communicator is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MiniSMTP server when processing packets. By sending a specially-crafted request to TCP port 25, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. References: [CVE-2011-4040], [XFDB-71086], [BID-50452] Datalust Seq.App.EmailPlus (aka seq-app-htmlemail) 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended. References: [CVE-2021-43270] Trojan.Win32.Barjac / Remote Stack Buffer Overflow - Trojan.Win32.Barjac makes SMTP connection to Port 25, upon processing the server response we control, we overwrite instruction pointer (EIP), undermining the integrity of the trojan. References: [MVID-2021-0011]	SG
25	udp	games	Final Fantasy XI	SG
25	tcp		Simple Mail Transfer Protocol (SMTP) - used for e-mail routing between mail servers (official)	Wikipedia
25	tcp	trojan	Antigen, Barok, BSE, Email Password Sender , Gip, Laocoon, Magic Horse, MBT , Moscow Email trojan, Nimda, Shtirlitz, Stukach, Tapiras, WinPC	Trojans
25	tcp,udp	applications	SMTP	Portforward
25	tcp	Ajan	[trojan] Ajan	Neophasis
25	tcp	Antigen	[trojan] Antigen	Neophasis
25	tcp	Barok	[trojan] Barok	Neophasis
25	tcp	BSE	[trojan] BSE	Neophasis
25	tcp	EmailPasswordSender	[trojan] Email Password Sender - EPS	Neophasis
25	tcp	EPSII	[trojan] EPS II	Neophasis
25	tcp	Gip	[trojan] Gip	Neophasis
25	tcp	Gris	[trojan] Gris	Neophasis
25	tcp	Happy99	[trojan] Happy99	Neophasis
25	tcp	Hpteammail	[trojan] Hpteam mail	Neophasis
25	tcp	Hybris	[trojan] Hybris	Neophasis
25	tcp	Iloveyou	[trojan] I love you	Neophasis
25	tcp	Kuang2	[trojan] Kuang2	Neophasis
25	tcp	MagicHorse	[trojan] Magic Horse	Neophasis
25	tcp	MBTMailBombingTrojan	[trojan] MBT (Mail Bombing Trojan)	Neophasis
25	tcp	MBT	[trojan] MBT (Mail Bombing Trojan)	Neophasis
25	tcp	MoscowEmailtrojan	[trojan] Moscow Email trojan	Neophasis
25	tcp	Naebi	[trojan] Naebi	Neophasis
25	tcp	NewAptworm	[trojan] NewApt worm	Neophasis
25	tcp	ProMailtrojan	[trojan] ProMail trojan	Neophasis
25	tcp	Shtirlitz	[trojan] Shtirlitz	Neophasis
25	tcp	Stealth	[trojan] Stealth	Neophasis
25	tcp	Stukach	[trojan] Stukach	Neophasis
25	tcp	Tapiras	[trojan] Tapiras	Neophasis
25	tcp	Terminator	[trojan] Terminator	Neophasis
25	tcp	WinPC	[trojan] WinPC	Neophasis
25	tcp	WinSpy	[trojan] WinSpy	Neophasis
25	tcp	threat	Ajan	Bekkoame
25	tcp	threat	Antigen	Bekkoame
25	tcp	threat	Bancos	Bekkoame
25	tcp	threat	Barok	Bekkoame
25	tcp	threat	Chimo	Bekkoame
25	tcp	threat	Email Password Sender - EPS	Bekkoame
25	tcp	threat	EPS II	Bekkoame
25	tcp	threat	Gip	Bekkoame
25	tcp	threat	Gris	Bekkoame
25	tcp	threat	Happy99	Bekkoame
25	tcp	threat	Hpteam mail	Bekkoame
25	tcp	threat	Hybris	Bekkoame
25	tcp	threat	I love you	Bekkoame
25	tcp	threat	Kuang2	Bekkoame
25	tcp	threat	Magic Horse	Bekkoame
25	tcp	threat	MBT (Mail Bombing Trojan)	Bekkoame
25	tcp	threat	Mitglieder	Bekkoame
25	tcp	threat	Moscow Email trojan	Bekkoame
25	tcp	threat	Naebi	Bekkoame
25	tcp	threat	NewApt worm	Bekkoame
25	tcp	threat	ProMail trojan	Bekkoame
25	tcp	threat	Rustock	Bekkoame
25	tcp	threat	Shtirlitz	Bekkoame
25	tcp	threat	Stealth	Bekkoame
25	tcp	threat	Tapiras	Bekkoame
25	tcp	threat	Terminator	Bekkoame
25	tcp	threat	W32.Beagle	Bekkoame
25	tcp	threat	W32.HLLP.Sality	Bekkoame
25	tcp	threat	WinPC	Bekkoame
25	tcp	threat	WinSpy	Bekkoame
25	tcp,udp	smtp	Simple Mail Transfer [RFC5321] , modified: 2017-06-05	IANA

63 records found

SG security scan: port 25

jump to:

Related ports: 26 110 143 125 465 2525 110 443

« back to SG Ports

External Resources
SANS ISC: port 25

Notes:
Port numbers in computer networking represent communication endpoints. Ports are unsigned 16-bit integers (0-65535) that identify a specific process, or network service. IANA is responsible for internet protocol resources, including the registration of commonly used port numbers for well-known internet services.
Well Known Ports: 0 through 1023.
Registered Ports: 1024 through 49151.
Dynamic/Private : 49152 through 65535.

TCP ports use the Transmission Control Protocol, the most commonly used protocol on the Internet and any TCP/IP network. TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and that packets will be delivered in the same order in which they were sent. Guaranteed communication/delivery is the key difference between TCP and UDP.

UDP ports use the Datagram Protocol. Like TCP, UDP is used in combination with IP (the Internet Protocol) and facilitates the transmission of datagrams from one computer to applications on another computer, but unlike TCP, UDP is connectionless and does not guarantee reliable communication; it's up to the application that received the message to process any errors and verify correct delivery. UDP is often used with time-sensitive applications, such as audio/video streaming and realtime gaming, where dropping some packets is preferable to waiting for delayed data.

When troubleshooting unknown open ports, it is useful to find exactly what services/processes are listening to them. This can be accomplished in both Windows command prompt and Linux variants using the "netstat -aon" command. We also recommend runnig multiple anti-virus/anti-malware scans to rule out the possibility of active malicious software. For more detailed and personalized help please use our forums.

Please use the "Add Comment" button below to provide additional information or comments about port 25.

Post your review/comments

rate: avg: