Spam Filter ISP Forums : Firewall / IDS Pit Fall (False Triggers)

There have been a couple of reports of the LogSat web server "attacking" SpamFilter customers networks and even causing some firewalls to go into some ugly La-La land. This is not an "attack". However, the high traffic nature of email messaging (and SPAM!) can cause a tightly configured (Anal retentive?) IDS or Firewall to mistake it as such.

LogSat's web server is where your SpamFilter makes all the http requests to check if an IP is listed in the SFDB and SFDC. While your SpamFilter connects to port 80 on LogSat's webserver, the return traffic will occur, by the nature of TCP, on a different random port on your server.

If an IDS is not able to "understand" the concept of established connections, it will not understand that the HTTP response, from LogSat's webserver to a random port on your server is, in fact, just that ... return HTTP traffic.

One recommendation would be to check the documentation for ISA server or whatever firewall appliance you have to see if it can be configured to detect anomalies while ignoring established TCP connections, as in this latter case, the return traffic on the random, high port numbers is absolutely legitimate and should not be interpreted as an "attack".