That looks oddly similar to a SIP Invite message. Is that how MSN does file transfer?? Max-Forwards: 0 and the number of IPv4Internal-Addr's certainly look suspicious.
Adam Tistler 1(732)718-2631 [email protected] On Mar 15, 2009, at 1:39 PM, ff wrote: > > Hi, in the past days I've discovered that the msn gateway was doing an > insane amount of traffic, so I started sniffing out what was > happening. I discovered that all is coming from some contacts (quite a > few indeed) continuously sending packets like this: > > .....4..........v..............0...............INVITE > MSNMSGR:[email protected] MSNSLP/1.0 > To: <msnmsgr:[email protected]> > From: <msnmsgr:[email protected]> > Via: MSNSLP/1.0/TLP ;branch={D1245860-8EDC-490C-902F-ADF51436A712} > CSeq: 0 > Call-ID: {553C514F-9F1A-533A-68C0-574C3B665BEF} > Max-Forwards: 0 > Content-Type: application/x-msnmsgr-transrespbody > Content-Length: 30029 > > Listening: true > NeedConnectingEndpointInfo: true > Conn-Type: Port-Restrict-NAT > TCP-Conn-Type: Symmetric-NAT > IPv6-global: > UPnPNat: false > Capabilities-Flags: 1 > IPv4External-Addrs: 201.41.41.98 > IPv4External-Port: 63649 > IPv4Internal-Addrs: 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 192.168.0.100 > 192.168.0.100 192.16.... > 091.121.143.160.60615-207.046.026.096.01863: MSG 235 D 549 > MIME-Version: 1.0 > Content-Type: application/x-msnmsgrp2p > P2P-Dest: [email protected] > > > It seems some sort of invite for a file transfer, which is ignored by > the gateway. This is presumably a virus (since the users don't know > they are sending anything), and it's very difficult to block. Is > anybody else noticing the problem, and any idea of how blocking it? > (it's the 90% of the traffic of our server at the moment!) > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "py-transports" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/py-transports?hl=en -~----------~----~----~----~------~----~------~--~---
