Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 10208 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam Resolver + Spoof protection

Jim Tagert
Here's the deal...

With spoof protection on "strict" I'm getting thousands of Ack Psh Fin packets logged each day. With spoof protection on "normal" I get less but still too many. The culprit is:

64.191.223.35 or c2resolver1.ctmail.com or "full request (post)" = http://resolver1.ast.ctmail.com/spamresolverNG/spamresolver.dll?DoNewRequest

Other than turning off the spoof protection entirely (Which I did. It worked.) or turning the email protection off (Which I did. It worked.) does anyone have an idea that might reduce the number of log entries for what I think is legitimate traffic?

Thanks.


This thread was automatically locked due to age.
Parents
  • 0
    We should look at a picture of the rule and a line from the firewall log demonstrating that it was not applied.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Two rules both at top most position

    1) 64.191.223.35 (c2resolver1.ctmail.com) --> any --> any

    2) any --> any --> 64.191.223.35 (c2resolver1.ctmail.com)

    Snap shot of rules enclosed.

    Definition bound to "any"
    Action set to "Drop".
    Log Traffic checked.

    ***.***.***.*** is the gateway ip address.
    XX:XX:XX:XX:XX:XX is the MAC address of the gateway card.

    With "Use strict TCP session handling" checked log is:

    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 

    As you can see, the traffic is from the UTM and its own "strict" evaluator doesn't like its own traffic.

    Can you explain it?
Reply
  • 0 in reply to BAlfson
    Two rules both at top most position

    1) 64.191.223.35 (c2resolver1.ctmail.com) --> any --> any

    2) any --> any --> 64.191.223.35 (c2resolver1.ctmail.com)

    Snap shot of rules enclosed.

    Definition bound to "any"
    Action set to "Drop".
    Log Traffic checked.

    ***.***.***.*** is the gateway ip address.
    XX:XX:XX:XX:XX:XX is the MAC address of the gateway card.

    With "Use strict TCP session handling" checked log is:

    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 
    2014:03:27-18:27:44 My Domain ulogd[4126]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" outitf="eth#" srcmac="XX:XX:XX:XX:XX:XX" srcip="***.***.***.***" dstip="64.191.223.35" proto="6" length="52" tos="0x00" prec="0x00" ttl="64" srcport="34571" dstport="80" tcpflags="ACK PSH FIN" 

    As you can see, the traffic is from the UTM and its own "strict" evaluator doesn't like its own traffic.

    Can you explain it?
Children
No Data
Unfiltered HTML