helpd trying to connect to strange websites

I have the same problem with helpd. I get requests (some of these blocked with Little Snitch) by

- pixelmator.com (I uninstalled with AppCleaner !!) ù

- s3.amazonaws.com (like others in this discussion)

- other connections including apple.com

In all these years there is some news or at least some tool to understand from where/what these connection requests arrive?

Google the IP address, sometimes you'll find out what it's fronting for.

Apple keeps its secrets.

Amazon wants to keep all of yours, they put trackers all over the Web to report back to Bald Master where you were seen.

Several applications use Apple's Help process to display their help information. They store that information on a web server, so when you ask for application "Help" the helpd process retrieves the information from their server to display in the Help window. You should allow all such connections, in my opinion.

http://www.thesafemac.com/eliminating-browser-redirects-and-advertisements/

I have a similar problem, but that link didn't help as it doesn't mention helpd. I sent an email to the support link of the website that helpd keeps wanting to connect (it is a valid website for the maker of "Pacifist"). So my question, MadMacs, is which section of that linked article would apply in our cases?

romad wrote:

I have a similar problem, but that link didn't help as it doesn't mention helpd. I sent an email to the support link of the website that helpd keeps wanting to connect (it is a valid website for the maker of "Pacifist"). So my question, MadMacs, is which section of that linked article would apply in our cases?

In your case, none. I can confirm that Pacifist does keep maintain it's help pages on charlessoft.com, so that is a valid request. In my case, I also see that Flip4Mac and/or Flip Player do the same thing with telestream.com.

That being said, the main causes of redirects to advertising these days involves browser extensions, so that would be the first place to look if you are having that sort of issue.

OK, thanks for clearing that up. I'll tell Little Snitch to allow that connection "Forever".

MM0, I know this is an old thread, but I've been searching around in vain for an explanation. The past few days, I've been getting a number of helpd wants to connect to various sites alerts from Little Snitch. I've read the link you provided from Thomas, but I don't really see how that would be applicable to this helpd thing. I don't see this as being a browser redirect. Possibly adware, but if so, wonder why from helpd?

To my knowledge I haven't installed anything from the known adware sites. I did just install Magic Prefs, but that came directly from the dev, and I've recently updated Flip4Mac, also directly from Telestream. Almost as soon as I installed that update, I got a helpd connection attempt to telestream. And some time before that, a helpd connection attempt to s3.amazonaws.com. Magic Prefs appears to get a clean bill of health.

I've also looked in ~/Library/Caches/com.apple.helpd/Generated, and I'm not finding anything there that would explain these connection attempts. The latest is to images.software.com. The reverse DNS is to 205.251.242.187, which is an Amazon IP. To my knowledge, I've never even visited software.com. FWIW, it comes up clean on Virus Total.

Of course, adware doesn't usually get included in malware definitions.

They have all been port 80.

An update. I've started running Sophos on this 10.8.5, and I temporarily disabled its web protection items through which all connections were being made. By doing that, I was able to see that Firefox was connecting to images.sofware.com on startup in the Little Snitch network monitor. No idea why it wants to do that, but I've now blocked it. Kind of puzzling why and to what helpd decides it wants to connect.

Could it be pre-loading/cacheing something for a Firefox add-on ?.

I guess that's certainly possible. No idea which Add-on would need to connect to software.com, or why, though. FF does connect to Ghostery and some other Add-ons, like NoScript, on startup, and helpd never wants to connect to either of those. it's just very strange what helpd decides to what it wants to connect.

Also, I never saw this when I was running from 10.6, so maybe it's a 10.8 helpd thing.

I started this last night, but have way too much going on right now. One of my projects came to an unexpected stop, so I can give you a few minutes now but it will probably be ten days or so before I have time to take it on as a project.

WZZZ wrote:

The past few days, I've been getting a number of helpd wants to connect to various sites alerts from Little Snitch. I've read the link you provided from Thomas, but I don't really see how that would be applicable to this helpd thing. I don't see this as being a browser redirect. Possibly adware, but if so, wonder why from helpd?

Yes, I recommended that page without noticing that helpd was involved. After I saw the me too from romad I realized I was on the wrong track.

To my knowledge, I've never even visited software.com.

Maybe you should. It seems to be a clean site with only a couple of tracker cookie from Google and what site doesn't have that. OTOH it's brand new, introducing this product just last month and apparently located in Wilmington, DE. This will give you an idea of what it's features are supposed to be:

So it would appear to be some sort of Cleaner app with MacUpdate like features. I hesitate to speculate like this, but I'm hoping they aren't considering using the MacKeeper partnership advertising model. I don't see any obvious links to how to become an associate/partner, but I think it would behoove us all to watch to see how their advertising campaign runs.

I did download the installer and it seems very clean with no hidden adware installers. It's code-signed with an Apple Developer ID and it would appear to simply install and applications named "Software.com". Pacifist shows:

I'm most mystified by the role that helpd plays here. I can't find any developer documentation on it and I don't understand why Apple needs a daemon running to perform help functions. It would seem that the Help Viewer itself is fully capable of downloading help files that are stored and maintained on the web. From what we've seen here, there are a few developers using the Apple Help framework's helpd process to access and display their help files. I can speculate that there might be ways to utilize this capability to display other things, such as whatever image file it's after in your case (download button perhaps).

Again, I think we should start watching this more closely, but I don't really have much to suggest at this point.

Thanks for all that. I'll keep on the lookout for anything new you find when you have the time. For the time being, at least, it seems helpd is taking a rest.

Anything new on this one? I wasn't able to find out anything else and don't see it mentioned in ASC or the Internet in general over the past month.

Nothing new. Hasn't bothered me again. I have it allowed in LS to connect to Apple, but blocked everywhere else it tried to connect.