That log is missing many fields, can you add the rest of them in your logging options? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Marc Lingenfelter" <marclingenfelter@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 08, 2002 10:28 AM Subject: [isalist] Re: Firewall Sessions http://www.ISAserver.org This is a portion of the Firewall Sessions Log.. None of these IP are mine or authorized access. I have set-up a IP Packet Filter that denied all inbound TCP access on all ports. I then disconnected all the below IPs and within minutes they were all reconnected. Server Session Type User Name Client Computer Client Address Activation LM-PROXY Firewall Session 203.45.205.7 203.45.205.7 8/8/2002 10:55:31 AM LM-PROXY Firewall Session 216.19.221.60 216.19.221.60 8/8/2002 10:55:54 AM LM-PROXY Firewall Session 216.26.30.111 216.26.30.111 8/8/2002 10:55:43 AM LM-PROXY Firewall Session 216.85.53.53 216.85.53.53 8/8/2002 10:56:05 AM LM-PROXY Firewall Session 24.187.68.173 24.187.68.173 8/8/2002 10:56:18 AM LM-PROXY Firewall Session 24.187.69.179 24.187.69.179 8/8/2002 10:55:37 AM LM-PROXY Firewall Session 63.151.143.20 63.151.143.20 8/8/2002 10:55:29 AM LM-PROXY Firewall Session 64.239.13.10 64.239.13.10 8/8/2002 10:55:22 AM LM-PROXY Firewall Session 64.252.137.165 64.252.137.165 8/8/2002 10:54:49 AM LM-PROXY Firewall Session 65.116.209.153 65.116.209.153 8/8/2002 10:54:56 AM LM-PROXY Firewall Session 65.116.209.156 65.116.209.156 8/8/2002 10:55:40 AM LM-PROXY Firewall Session 65.116.209.157 65.116.209.157 8/8/2002 10:55:34 AM LM-PROXY Firewall Session 65.203.20.60 65.203.20.60 8/8/2002 10:55:46 AM LM-PROXY Firewall Session 65.244.149.130 65.244.149.130 8/8/2002 10:54:23 AM LM-PROXY Firewall Session 65.95.177.193 65.95.177.193 8/8/2002 10:55:07 AM LM-PROXY Firewall Session 66.164.16.201 66.164.16.201 8/8/2002 10:55:27 AM LM-PROXY Firewall Session 66.164.16.42 66.164.16.42 8/8/2002 10:55:27 AM LM-PROXY Firewall Session 67.250.124.194 67.250.124.194 8/8/2002 10:55:54 AM Marc B. Lingenfelter Network Administrator -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 08, 2002 10:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Firewall Sessions http://www.ISAserver.org Can you send a snip from your FW log showing the events that concern you? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Marc Lingenfelter" <marclingenfelter@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 08, 2002 6:53 AM Subject: [isalist] Re: Firewall Sessions http://www.ISAserver.org Have never published the server Marc B. Lingenfelter Network Administrator -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, August 08, 2002 7:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Firewall Sessions http://www.ISAserver.org Server publishing rules allow Firewall sessions from "unknown" IPs. Are you publishing a mailserver? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison http://jalojash.org/isatools Read the books! ----- Original Message ----- From: "Marc Lingenfelter" <marclingenfelter@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 07, 2002 9:28 PM Subject: [isalist] Firewall Sessions http://www.ISAserver.org While checking my firewall sessions and logs for the past few days I discovered that a couple of unknown IPs are starting firewall sessions. Nothing I do seems to be able to block them from the site. I also see where both of them are sending excessive amounts of SMTP (Spam). I need to know how to block them. Thanks Marc Lingenfelter Network Admin ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: marclingenfelter@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: marclingenfelter@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')