On Sun, Jan 09, 2005 at 07:55:17PM +0530, Suresh Ramasubramanian wrote:
1) SYN - Worm emails / spam goes out from another provider, with the source address spoofed to be the IP of a trojaned PC
2) ACK - Receiving network sends an ACK back to the forged source IP, and the trojan on that IP proxies this back to the actual spam source.
3) SYNACK - sent by the actual spam source to your network.
Only if you are only filtering SYNs. If you block ALL port 25 traffic, this won't work.
Applying port 25 filters both ways (inbound and outbound to your dialup pool, instead of just outbound port 25 filtering) would help in such a situation.
Inbound 25 filtering has nothing to do with the situation listed above. Or are you using inbound and outbound to review to packet flow on the interface rather than session flow? Must be confusing Cisco terms with actual networking again ;-) -- Joe Rhett Senior Geek Meer.net