I get an lot of these alerts on my ISA2004 server: ISA Server detected an all port scan attack from Internet Protocol (IP) address xx.xx.xx.xx. Normally, I just ignore these, as there isn't much I can do about outside servers. However, I've noticed a few of these with IP addresses on our internal network, which has me concerned. Whenever I see one of these, I check every log I can think of, and don't find any other indication of any activity other than the alert itself. Even the Firewall Log doesn't show any blocked packets during that time period. Do you think the IP address of the scanner is being spoofed?