If someone has an email client configured to check email on an outside service every X minutes, that would likely explain why it happens overnight.
After I wrote the above paragraph, I took a closer look at the alarm message. 172.26.140.8 is a "private" address (See RFC1918 at http://www2.hunter.com/docs/rfc/rfc1918.html for more information about private addresses). This most likely means that someone using the same ISP as you is "leaking" private address traffic and your ISP is not filtering it (most don't). There doesn't seem to be enough traffic to think that someone is attempting to mount a denial of service attack, and since the traffic is coming from a private address space there is no way that reply packets could return to the host that originated these packets, so I would have to conclude that this is the result of cluelessness on the part of someone using the same ISP as you rather than any sort of malicious intent. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 09, 2001 10:38 AM > To: 'Mike Burden' > Subject: AW: Filter question > > > Hi Mike > > Thanks for taking the time to answer. Strangely most of these > reports happen > over night and the remote IP addresses cannot be resolved, > that's what made > me suspicious? > Please let me know if you have other ideas. > > Thanks a lot and best wishes > > Marc > > Suxdorf Studios f�r Design > Milchstrasse 6b > D-20148 Hamburg > Tel +49 (40) 41345-100 > Fax +49 (40) 41345-101 > Email [EMAIL PROTECTED] > > -----Urspr�ngliche Nachricht----- > Von: Mike Burden [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 9. Oktober 2001 16:20 > An: Marc Suxdorf; '[EMAIL PROTECTED]' > Betreff: RE: Filter question > > I answered on Friday, but it looks like my response never > got through, so I'll try again: > > The traffic is coming *FROM* port 110, not *TO* port 110. > This means that the POP server is on the Internet, not > a host on the Internet trying to contact a POP server on > your network. > > What this most likely means is that someone on your network > is retrieving email from an email server outside of your > network, such as Yahoo, Hotmail, or somesuch. > > When the server on the Internet is overloaded, or when > there is network congestion between your network and the > server, then some network packets come back after the > GNAT Box has stopped expecting them. The GNAT Box then > treats these as an attempt at an unsolicited inbound > connection, and generates alarm messages. > > Mike Burden > Lynk Systems > http://www.lynk.com > (616)532-4985 > [EMAIL PROTECTED] > > > > > -----Original Message----- > > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, October 09, 2001 3:13 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: Filter question > > > > > > --------------------- Attention ----------------------------- > > A digest version of this list is now available. > > Send email to [EMAIL PROTECTED], with the following message: > > subscribe gb-users-digest your_email_address > > Then unsubscribe from this list. > > ------------------------------------------------------------- > > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > > Send postings to: [EMAIL PROTECTED] > > Access the list archives at: http://www.gnatbox.com/gb-users/ > > ------------------------------------------------------------- > > Hi again > > > > I know, I am not a pro and maybe I should know this<g>. But > > still, maybe > > someone could just quickly let me know whether I am paranoid or not > > (referred to my post below....). > > > > Thanks a lot! > > > > Marc > > > > > > -----Urspr�ngliche Nachricht----- > > Von: Marc Suxdorf [mailto:[EMAIL PROTECTED]] > > Gesendet: Freitag, 5. Oktober 2001 09:40 > > An: '[EMAIL PROTECTED]' > > Betreff: Filter question > > > > --------------------- Attention ----------------------------- > > A digest version of this list is now available. > > Send email to [EMAIL PROTECTED], with the following message: > > subscribe gb-users-digest your_email_address Then unsubscribe > > from this > > list. > > ------------------------------------------------------------- > > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > > Send postings to: [EMAIL PROTECTED] > > Access the list archives at: http://www.gnatbox.com/gb-users/ > > > > > > ------------------------------------------------------------- > > Hi everyone > > I get a lot of access attempts from ports 110 to very high > > ports on my two > > public IP addresses. I don't have a POP3 server running on > > the gnat box, nor > > do I have inbound filters configured for port 110. Could it > > be that trojans > > or hackers use 110 as their destination port in order to camouflage > > something? > > Thanks for any help > > Marc > > 04-10-2001 16:22:09 Local1.Warning 10.0.0.23 Oct 4 16:26:05 > > FILTER: Remote > > access filter blocks: TCP ep0 > > [172.26.140.8/110]->[XXX.XXX.XXX.XXX/22453] > > l=0 f=0x4. > > > > ---------------------------------------------- > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe gb-users your_email_address > > in the body of the message > > > > > > ---------------------------------------------- > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe gb-users your_email_address > > in the body of the message > > > >
