Date: Fri, 18 Jun 2004 19:43:08 +0100 From: Robert Downes <nullentropy@lineone.net> To: freebsd-ipfw@freebsd.org Subject: Re: Blocked outbound traffic - what is it? Message-ID: <40D337BC.5060403@lineone.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGAECLGDAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGAECLGDAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
JJB wrote: >Those web sites are ms/windows spyware reporting home about where >you browse. Just type those ip address into your browser and you >will see dubble-click banner page. Your ipfw rules are doing there >thing of not allowing those ms/windows spyware do their thing. > > I'm fairly sure it's not spyware. I've run virus and adware/spyware scans, and nothing has shown up. >>From your ipfw log I would say the ms/windows box you are using is >compromised. Looks to me like you have email virus and spyware on >that box. Ipfw is working just fine. > > I'm sure IPFW is working fine. But I'm curious as to where these requests are coming from. >Use nslookup ipaddress from FBSD command line to checkout out >those loged ip address next time. > > I have been doing so. The names of most addresses are legitimate. Some, though, are for banner ad companies. For instance, when testing by going to microsoft.com (a site I was sure would use banner ads and the like), I get a denied outgoing packet to 207.46.248.107 port 80. The name of this address is reported as c.microsoft.com. Looking through the source code for the microsoft.com main page, there is an entry for c.microsoft.com in a section of JavaScript which seems to call for a 'trans_pixel.asp?' from c.microsoft.com. I assume this is a quiet little transparent image created by a tracking script. But what I want to know is: how come Mozilla can happily request most images from port 80 with success, but a strange little image like this one does not have its request granted? Is it because this image is on a third-party URL (and hence different IP address)? Do image requests look different (in packet details terms) to initial requests for an HTML page? >The ip address of the 110 packet is not your ISP's pop3 email server >I bet. > No. The addresses are all part of the domains of the groups that supply my mail service. However, the addresses resolve to names that are slightly different to my actual POP server name. E.g. my POP server is port 110 at pop.mail.yahoo.com (216.136.173.10) and the denied packets are asking to go to 216.136.173.10 port 110 but nslookup reports the name as pop.vip.sc5.yahoo.com but I thought that IPFW ignored names unless they were explicitly specified (and no names are specified). So something else is making those packets fail. But I still receive mail perfectly well to that account. So it's all a little mysterious. (To me, that is. I'm sure veterans know what is going on.) -- Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40D337BC.5060403>