Do you only get FIN packets? What about DPT (33151), is it the port you send your original email to hotmail?
Ramin On Wed, May 15, 2002 at 05:44:53PM -0700, Travis Ogdon wrote: > > Whenever sending to a Hotmail account from my server I end up with roughly > 10 dropped packets from random IP addresses within hotmail's IP space. My > firewall rules are pretty tight (I think), but no other server has > demonstrated this problem (and I send to a lot of people on a wide variety > of other servers). > > The weird part is that the message goes through to hotmail just fine right > away, but then the packets are logged about once a minute for the 10 minutes > after sending a message. Checking my mail logs shows no connections to the > IP addresses in question, however the ACK bit is set on all of the packets > that I block. > > Here's the most recent example: > > > May 15 17:21:13 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=11945 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:21:21 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=11946 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:21:38 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=42543 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:22:12 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=42544 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:23:12 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=5521 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:24:12 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=65521 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:25:12 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=59985 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:26:12 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=54449 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > May 15 17:27:12 nigel kernel: IN=eth0 OUT= > MAC=00:50:ba:c1:e1:c0:00:10:67:00:2b:06:08:00 SRC=64.4.49.145 > DST=xxx.xxx.xxx.xx LEN=82 TOS=0x00 PREC=0x00 TTL=243 ID=48913 DF PROTO=TCP > SPT=25 DPT=33151 WINDOW=64240 RES=0x00 ACK PSH FIN URGP=0 > > Note that I've sanitized the IP that these are coming into. Again, > 64.4.49.145 shows up nowhere in my smtp logs. There aren't any > return receipts or other weirdnesses to the messages, just plain text. > > > Is Hotmail screwing something up? Am I? > > A quick search through the archives of this list and the postfix list > doesn't seem to bring anything up, and since the problem seems to be with > iptables at this point I thought I'd start here... > > Let me know if posting my iptables config would help. I'm hoping that I'm > especially dense at searching through the archives and that this is some > sort of well known issue. > > TIA > > -- Travis
