Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 10205 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam Resolver + Spoof protection

Jim Tagert
Here's the deal...

With spoof protection on "strict" I'm getting thousands of Ack Psh Fin packets logged each day. With spoof protection on "normal" I get less but still too many. The culprit is:

64.191.223.35 or c2resolver1.ctmail.com or "full request (post)" = http://resolver1.ast.ctmail.com/spamresolverNG/spamresolver.dll?DoNewRequest

Other than turning off the spoof protection entirely (Which I did. It worked.) or turning the email protection off (Which I did. It worked.) does anyone have an idea that might reduce the number of log entries for what I think is legitimate traffic?

Thanks.


This thread was automatically locked due to age.
Parents
  • 0
    We should look at a picture of the rule and a line from the firewall log demonstrating that it was not applied.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    We should look at a picture of the rule and a line from the firewall log demonstrating that it was not applied.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Two rules both at top most position

    1) 64.191.223.35 (c2resolver1.ctmail.com) --> any --> any

    2) any --> any --> 64.191.223.35 (c2resolver1.ctmail.com)

    Snap shot of rules enclosed.

    Definition bound to "any"
    Action set to "Drop".
    Log Traffic checked.

    ***.***.***.*** is the gateway ip address.
    XX:XX:XX:XX:XX:XX is the MAC address of the gateway card.

    With "Use strict TCP session handling" checked log is:

    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 

    As you can see, the traffic is from the UTM and its own "strict" evaluator doesn't like its own traffic.

    Can you explain it?
Unfiltered HTML