Blocked outbound traffic - what is it?

Robert Downes nullentropy at lineone.net
Fri Jun 18 18:44:58 GMT 2004 

JJB wrote:

>Those web sites are ms/windows spyware reporting home about where
>you browse. Just type those ip address into your browser and you
>will see dubble-click banner page.  Your ipfw rules are doing there
>thing of not allowing those ms/windows spyware do their thing.
>  
>
I'm fairly sure it's not spyware. I've run virus and adware/spyware 
scans, and nothing has shown up.

>>From your ipfw log I would say the ms/windows box you are using is
>compromised. Looks to me like you have email virus and spyware on
>that box.  Ipfw is working just fine.
>  
>
I'm sure IPFW is working fine. But I'm curious as to where these 
requests are coming from.

>Use nslookup  ipaddress  from FBSD command line to checkout out
>those loged ip address next time.
>  
>
I have been doing so. The names of most addresses are legitimate. Some, 
though, are for banner ad companies. For instance, when testing by going 
to microsoft.com (a site I was sure would use banner ads and the like), 
I get a denied outgoing packet to 207.46.248.107 port 80. The name of 
this address is reported as c.microsoft.com. Looking through the source 
code for the microsoft.com main page, there is an entry for 
c.microsoft.com in a section of JavaScript which seems to call for a 
'trans_pixel.asp?' from c.microsoft.com. I assume this is a quiet little 
transparent image created by a tracking script.

But what I want to know is: how come Mozilla can happily request most 
images from port 80 with success, but a strange little image like this 
one does not have its request granted? Is it because this image is on a 
third-party URL (and hence different IP address)? Do image requests look 
different (in packet details terms) to initial requests for an HTML page?

>The ip address of the 110 packet is not your ISP's pop3 email server
>I bet.
>
No. The addresses are all part of the domains of the groups that supply 
my mail service. However, the addresses resolve to names that are 
slightly different to my actual POP server name. E.g. my POP server is 
port 110 at pop.mail.yahoo.com (216.136.173.10) and the denied packets 
are asking to go to 216.136.173.10 port 110 but nslookup reports the 
name as pop.vip.sc5.yahoo.com but I thought that IPFW ignored names 
unless they were explicitly specified (and no names are specified). So 
something else is making those packets fail. But I still receive mail 
perfectly well to that account.

So it's all a little mysterious. (To me, that is. I'm sure veterans know 
what is going on.)

-- 
Bob

More information about the freebsd-ipfw mailing list