I have instrumented my iptables to log all DROP'ed packets. I have a huge plethora of packets dropped from these 3 IP addresses: 74.125.127.109 72.14.213.109 74.125.53.109 and all of them are from source port 995, which is the secure POP3 port used by Thunderbird. All 3 IP addresses belong to google.
nslookup reports 109.127.125.74.in-addr.arpa name = pz-in-f109.1e100.net 109.213.14.72.in-addr.arpa name = pv-in-f109.1e100.net. 109.53.125.74.in-addr.arpa name = pw-in-f109.1e100.net
I am having no problems retrieving my email at all. TB works just fine. All 3 addresses belong to google. Just do whois 1e100.net
So why would the google mail server send me unsolicited packets? As I said, I am having no problems sending/receiving email.
Cheers,
JD
On 04/17/2011 12:02 PM, JD wrote:
nslookup reports 109.127.125.74.in-addr.arpa name = pz-in-f109.1e100.net 109.213.14.72.in-addr.arpa name = pv-in-f109.1e100.net. 109.53.125.74.in-addr.arpa name = pw-in-f109.1e100.net
I am having no problems retrieving my email at all. TB works just fine. All 3 addresses belong to google. Just do whois 1e100.net
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com
Yes, Google is the administrative and technical contact, but it looks like marakmonitor.com is trying to hack your machine, not Google.
On 4/17/11 12:02 PM, JD wrote:
I have instrumented my iptables to log all DROP'ed packets. I have a huge plethora of packets dropped from these 3 IP addresses: 74.125.127.109 72.14.213.109 74.125.53.109
Google Mail on the Secure IMAP port? Interesting. Maybe they are misrouted packets or do you use Google Mail (gmail)?
James McKenzie
On 04/17/2011 12:33 PM, Joe Zeff wrote:
On 04/17/2011 12:02 PM, JD wrote:
nslookup reports 109.127.125.74.in-addr.arpa name = pz-in-f109.1e100.net 109.213.14.72.in-addr.arpa name = pv-in-f109.1e100.net. 109.53.125.74.in-addr.arpa name = pw-in-f109.1e100.net
I am having no problems retrieving my email at all. TB works just fine. All 3 addresses belong to google. Just do whois 1e100.net
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.comYes, Google is the administrative and technical contact, but it looks like marakmonitor.com is trying to hack your machine, not Google.
Well then, it would appear that google sells/provides hosting for commercial domains. So, who do I report this to? Google? or the DHS? :)
On 17 April 2011 20:33, Joe Zeff joe@zeff.us wrote:
On 04/17/2011 12:02 PM, JD wrote:
All 3 addresses belong to google. Just do whois 1e100.net
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com
Yes, Google is the administrative and technical contact, but it looks like marakmonitor.com is trying to hack your machine, not Google.
No, it's Google: http://www.webmasterworld.com/google/4050443.htm
1e100 is the scientific notation of 10^100 aka one Googol (http://en.wikipedia.org/wiki/Googol)
MarkMonitor is just the brand agency they are using to register the name and "protect their global brand".
As to what it's doing, I don't know - it sounds like it's sending traffic from port 995 to your machine because you are connecting to GMail. It's entirely possible that because gmail is composed of millions of different machines, those packets are coming back not from the machine you are directly connected to and hence aren't hitting your ESTABLISHED,RELATED rules. You'd need plug a packet capture into something like Wireshark and look at the conversation to know what those packets are supposed to be.
On 04/17/2011 12:34 PM, James McKenzie wrote:
On 4/17/11 12:02 PM, JD wrote:
I have instrumented my iptables to log all DROP'ed packets. I have a huge plethora of packets dropped from these 3 IP addresses: 74.125.127.109 72.14.213.109 74.125.53.109
Google Mail on the Secure IMAP port? Interesting. Maybe they are misrouted packets or do you use Google Mail (gmail)?
James McKenzie
My Thunderbird is configured to connect with pop.gmail.com to retrieve my email.
The Registrant of the primary domain is google, and the Registrar is MarkMonitor.Com.
$ whois 1e100.net [Querying whois.verisign-grs.com] [Redirected to whois.markmonitor.com] [Querying whois.markmonitor.com] [whois.markmonitor.com]
MarkMonitor is the Global Leader in Enterprise Brand Protection.
Domain Management MarkMonitor Brand Protection™ AntiFraud Solutions Corporate Consulting Services
Visit MarkMonitor at www.markmonitor.com Contact us at 1 800 745 9229 In Europe, at +44 (0) 20 7840 1300
/....Scroll down some more..../
The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. MarkMonitor.com does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to MarkMonitor.com (or its systems). MarkMonitor.com reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
Registrant: DNS Admin Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6502530000 Fax: +1.6506188571
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.com
Administrative Contact: DNS Admin Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6502530000 Fax: +1.6506188571 Technical Contact, Zone Contact: DNS Admin Google Inc. 1600 Amphitheatre Parkway Mountain View CA 94043 US dns-admin@google.com +1.6502530000 Fax: +1.6506188571
Created on..............: 2009-09-24. Expires on..............: 2019-09-24. Record last updated on..: 2010-07-05.
Domain servers in listed order:
ns4.google.com ns3.google.com ns2.google.com ns1.google.com
MarkMonitor is the Global Leader in Enterprise Brand Protection.
Domain Management MarkMonitor Brand Protection™ AntiFraud Solutions Corporate Consulting Services
Visit MarkMonitor at www.markmonitor.com Contact us at 1 800 745 9229 In Europe, at +44 (0) 20 7840 1300
On 04/17/2011 12:33 PM, Joe Zeff wrote:
On 04/17/2011 12:02 PM, JD wrote:
nslookup reports 109.127.125.74.in-addr.arpa name = pz-in-f109.1e100.net 109.213.14.72.in-addr.arpa name = pv-in-f109.1e100.net. 109.53.125.74.in-addr.arpa name = pw-in-f109.1e100.net
I am having no problems retrieving my email at all. TB works just fine. All 3 addresses belong to google. Just do whois 1e100.net
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.comYes, Google is the administrative and technical contact, but it looks like marakmonitor.com is trying to hack your machine, not Google.
Actually, as I just replied to James McKenzie, the domain REGISTRAR is markmonitor.com and the REGISTRANT is Google.com.
On 04/17/2011 12:56 PM, Sam Sharpe wrote:
On 17 April 2011 20:33, Joe Zeffjoe@zeff.us wrote:
On 04/17/2011 12:02 PM, JD wrote:
All 3 addresses belong to google. Just do whois 1e100.net
Domain Name: 1e100.net
Registrar Name: Markmonitor.com Registrar Whois: whois.markmonitor.com Registrar Homepage: http://www.markmonitor.comYes, Google is the administrative and technical contact, but it looks like marakmonitor.com is trying to hack your machine, not Google.
No, it's Google: http://www.webmasterworld.com/google/4050443.htm
1e100 is the scientific notation of 10^100 aka one Googol (http://en.wikipedia.org/wiki/Googol)
MarkMonitor is just the brand agency they are using to register the name and "protect their global brand".
As to what it's doing, I don't know - it sounds like it's sending traffic from port 995 to your machine because you are connecting to GMail. It's entirely possible that because gmail is composed of millions of different machines, those packets are coming back not from the machine you are directly connected to and hence aren't hitting your ESTABLISHED,RELATED rules. You'd need plug a packet capture into something like Wireshark and look at the conversation to know what those packets are supposed to be.
Not savvy about wireshak. Do you have some link or info as to how to trap packets from these IP addresses? Also, would I have to change my firewall in order for wireshark to trap these packets?
On 4/17/11 1:10 PM, JD wrote:
On 04/17/2011 12:34 PM, James McKenzie wrote:
On 4/17/11 12:02 PM, JD wrote:
I have instrumented my iptables to log all DROP'ed packets. I have a huge plethora of packets dropped from these 3 IP addresses: 74.125.127.109 72.14.213.109 74.125.53.109
Google Mail on the Secure IMAP port? Interesting. Maybe they are misrouted packets or do you use Google Mail (gmail)?
James McKenzie
My Thunderbird is configured to connect with pop.gmail.com to retrieve my email.
The Registrant of the primary domain is google, and the Registrar is MarkMonitor.Com.
[Whois and marketing stuff removed]
Thus your system is NOT being hacked as stated by others. If you are using Thunderbird, you had to configure it to connect on port 995, which I will correct, is the secure POP port. Nothing is amiss here, just is that you sent your request to server 'A' in the farm and got a reply from server 'B' or server 'C' or server 'D'.... The first available will be replying. You could 'sniff' the traffic, but since it is SSL/TLS encrypted, you would not be able to read anything (or left me restate this, should not be able to.)
At this point, given all that has been given, you are at a ZERO percent hazard. If you were receiving replies from a different set of addresses and these were not gmail's then I would have raised an eyebrow because that is an attack signature.
James McKenzie
On 04/17/2011 01:25 PM, James McKenzie wrote:
On 4/17/11 1:10 PM, JD wrote:
On 04/17/2011 12:34 PM, James McKenzie wrote:
On 4/17/11 12:02 PM, JD wrote:
I have instrumented my iptables to log all DROP'ed packets. I have a huge plethora of packets dropped from these 3 IP addresses: 74.125.127.109 72.14.213.109 74.125.53.109
Google Mail on the Secure IMAP port? Interesting. Maybe they are misrouted packets or do you use Google Mail (gmail)?
James McKenzie
My Thunderbird is configured to connect with pop.gmail.com to retrieve my email.
The Registrant of the primary domain is google, and the Registrar is MarkMonitor.Com.
[Whois and marketing stuff removed]
Thus your system is NOT being hacked as stated by others. If you are using Thunderbird, you had to configure it to connect on port 995, which I will correct, is the secure POP port. Nothing is amiss here, just is that you sent your request to server 'A' in the farm and got a reply from server 'B' or server 'C' or server 'D'.... The first available will be replying. You could 'sniff' the traffic, but since it is SSL/TLS encrypted, you would not be able to read anything (or left me restate this, should not be able to.)
At this point, given all that has been given, you are at a ZERO percent hazard. If you were receiving replies from a different set of addresses and these were not gmail's then I would have raised an eyebrow because that is an attack signature.
James McKenzie
Well, it is a bit strange that Google would set up their servers so that my machine tries to download latest messages by sending it's request to pop.gmail.com (74.125.127.109) to port 995, and receive reply from a different IP address. How can I configure my firewall so that such replies are not deemed as "not established"?
On Apr 17, 2011 4:53 PM, "JD" jd1008@gmail.com wrote:
Well, it is a bit strange that Google would set up their servers so that my machine tries to download latest messages by sending it's request to pop.gmail.com (74.125.127.109) to port 995, and receive reply from a different IP address. How can I configure my firewall so that such replies are not deemed as "not established"?
fwiw I do not have this issue when using imaps (via mutt) for gmail.
-paul
On 04/17/2011 02:26 PM, Paul Morgan wrote:
On Apr 17, 2011 4:53 PM, "JD" <jd1008@gmail.com mailto:jd1008@gmail.com> wrote:
Well, it is a bit strange that Google would set up their servers so that my machine tries to download latest messages by sending it's request to pop.gmail.com http://pop.gmail.com
(74.125.127.109) to port 995,
and receive reply from a different IP address. How can I configure my firewall so that such replies are not deemed as "not established"?
fwiw I do not have this issue when using imaps (via mutt) for gmail.
-paul
I hate imap :)
On 04/17/2011 03:53 PM, JD wrote:
Well, it is a bit strange that Google would set up their servers so that my machine tries to download latest messages by sending it's request to pop.gmail.com (74.125.127.109) to port 995, and receive reply from a different IP address. How can I configure my firewall so that such replies are not deemed as "not established"?
I'm download my email too from pop.gmail.com via pop3s using fetchmail and in the past, the following showed in the logs:
Apr 17 16:18:42 localhost kernel: [534364.934281] INPUT packets denied: IN=eth0 OUT= MAC= SRC=74.125.127.109 DST=192.168.1.10 LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=18161 PROTO=TCP SPT=995 DPT=48159 WINDOW=0 RES=0x00 RST URGP=0
and the above packet always netfilter (iptables) classify it as a INVALID packet so you catch it with:
-N inval-IN -A inval-IN -m tcp -p tcp --sport 995 -j DROP -A INPUT -m state --state INVALID -j inval-IN
or test and simply do:
-A INPUT -m state --state INVALID -j DROP
I only know a little about tcpdump but according to "tcpdump -i eth0 -n port 995" the packet logged is the last one in the session:
also in my limited testing today, the logged packet came from the same pop server machine not a third party one
and because the packet is logged not matter you use thunderbird or I use fetcmail maybe is a (harmless) bug in google pop server
Gabriel
On 04/18/2011 05:05 PM, Gabriel Ramirez wrote:
On 04/17/2011 03:53 PM, JD wrote:
Well, it is a bit strange that Google would set up their servers so that my machine tries to download latest messages by sending it's request to pop.gmail.com (74.125.127.109) to port 995, and receive reply from a different IP address. How can I configure my firewall so that such replies are not deemed as "not established"?
I'm download my email too from pop.gmail.com via pop3s using fetchmail and in the past, the following showed in the logs:
Apr 17 16:18:42 localhost kernel: [534364.934281] INPUT packets denied: IN=eth0 OUT= MAC= SRC=74.125.127.109 DST=192.168.1.10 LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=18161 PROTO=TCP SPT=995 DPT=48159 WINDOW=0 RES=0x00 RST URGP=0
and the above packet always netfilter (iptables) classify it as a INVALID packet so you catch it with:
-N inval-IN -A inval-IN -m tcp -p tcp --sport 995 -j DROP -A INPUT -m state --state INVALID -j inval-IN
or test and simply do:
-A INPUT -m state --state INVALID -j DROP
I only know a little about tcpdump but according to "tcpdump -i eth0 -n port 995" the packet logged is the last one in the session:
also in my limited testing today, the logged packet came from the same pop server machine not a third party one
and because the packet is logged not matter you use thunderbird or I use fetcmail maybe is a (harmless) bug in google pop server
Gabriel
Could very well be a harmless bug. I was also wondering if the bug is caused by the client request being broadcast to all 3 gmail servers, and one of them quickly responds, and one or both of the other 2, which are apparently not notified that the response has been sent, will send their reply to a session which has already closed. Any google mail admins on this list?? :)
On 04/18/2011 07:13 PM, JD wrote:
Could very well be a harmless bug. I was also wondering if the bug is caused by the client request being broadcast to all 3 gmail servers, and one of them quickly responds, and one or both of the other 2, which are apparently not notified that the response has been sent, will send their reply to a session which has already closed. Any google mail admins on this list?? :)
if in your case a another server (also google's property) is sending the RST, it's different situation from mine, to be sure runs "tcppdump -i eth0 port 995 -n" in a terminal and download your email via thunderbird, if you see two different pop server ip address, well in my limited testing I only was one server.
maybe in your logs have three servers written because in one day one ip addresss was resolved by your dns server, after sometimes the dns cache expired and resolved another ip address
now maybe linux isn't closing properly the session, so google is sending the RST, but having two bugs in different programs (fetchmail and thunderbird) is more unlikely which only a bug in google'spop server.
also that packet isn't marked NEW, ESTABLISHED or RELATED, but INVALID
I'm not sure if a stock Linux install DROP or REJECT the INVALID packets, but maybe don't log them so the problem isn't more known between the users of gmail pop3s servers, many prefer imap. I use imap but only in my own servers.
Gabriel