This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam Resolver + Spoof protection

Here's the deal...

With spoof protection on "strict" I'm getting thousands of Ack Psh Fin packets logged each day. With spoof protection on "normal" I get less but still too many. The culprit is:

64.191.223.35 or c2resolver1.ctmail.com or "full request (post)" = http://resolver1.ast.ctmail.com/spamresolverNG/spamresolver.dll?DoNewRequest

Other than turning off the spoof protection entirely (Which I did. It worked.) or turning the email protection off (Which I did. It worked.) does anyone have an idea that might reduce the number of log entries for what I think is legitimate traffic?

Thanks.


This thread was automatically locked due to age.
Parents
  • I think you may be right, Jim.  The one thing you might try is to change the source in the traffic selector in #1 to "External (Address)" instead of "Any." At present, I guess that your rule applies to the FORWARD chain, and that changing from "Any" might make the rule apply to the OUTPUT chain, and that that might work.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I think you may be right, Jim.  The one thing you might try is to change the source in the traffic selector in #1 to "External (Address)" instead of "Any." At present, I guess that your rule applies to the FORWARD chain, and that changing from "Any" might make the rule apply to the OUTPUT chain, and that that might work.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hey Bob,

    I tried that first. I tried the specific addresses. I tried any, which, I thought, would cover ANY / Everything.

    So basicly, if someone were able to compromise the root and gain access to the system, then they could set up any kind of BOT and since the traffic is not controllable or loggable with catch-all type FW rules, they could effectively run undetected forever.

    Funny thing, if the connection to c2resolver1.ctmail.com would work correctly, then I would have never noticed the rest.

    Just for verification, is c2resolver1.ctmail.com actually used by sophos UTm for the spam tool? I felt like I should ask that question...