strange request for inbound traffic (firewall)

Discussion in 'privacy problems' started by Fly, Jun 11, 2009.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    (Windows XP Home Edition, service pack 2, router directly connected to modem by wire/cable, wireless connection to my computer, WPA-PSK encrypted, no other computers in my network.)

    I'm currently trialling Eset Smart Security, with the firewall in interactive mode. Upon (re)boot I noticed a strange request for INBOUND traffic (Microsoft Windows Publisher I think), IP 207.46.197.32.

    I decided to temporarily allow it. And I did look it up.
    According to networksolutions:
    'OrgName: U.S. Environmental Protection Agency
    OrgID: UEPA
    Address: NC 54 at Alexander Drive
    City: Research Triangle Park
    StateProv: NC
    PostalCode:
    Country: US'

    That just seems weird. I decided to temporarily allow it because I had problems synchronizing the time on my computer, both automatic and manual.

    I've noticed that 'Microsoft Windows Publisher' wants to phone out a lot. Also weird.

    Anyone care to comment ?

    What business is my computer to the 'U.S. Environmental Protection Agency ' ? o_O
     
    Last edited: Jun 11, 2009
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    How did you lookup that IP address exactly?

    207.46.197.32 is in a Microsoft owned IP address range, and appears to be a mix of update server and other distributed software functions.

    See also: http://whois.domaintools.com/207.46.197.32 - lots of Microsoft domains hosted behind this IP address.
     
  3. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    That's strange.

    I used www.networksolutions.com/whois/index.jsp

    I just tried it again, and it points to Microsoft. I remember paying attention when I did the WHOIS lookup. I guess I made a mistake ? :doubt:

    But it's weird, according to Eset Smart Security it was INBOUND traffic, and I could choose between allowing and denying the request.

    I haven't experienced that with any other firewall I've tried. Outbound requests, yes, but not inbound.

    And there is even a router between the internet/modem and my computer.

    So how did it get past that ? o_O
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    It's hard to say what it was without a full log - i.e. src/dst ports, protocol, flags, etc. However, since you do have a router protecting your network perimeter, it's very unlikely to be an unsolicited inbound connection. Meaning, it's not something random from the Internet that penetrated your router all on its own. It's much more likely that something in Publisher initiated the connection, (especially since you say it was the program Publisher that the alert said the communication was aimed at - for the firewall to know it was Publisher, Publisher must have been running), and the software firewall is merely alerting for another reason... Perhaps a late response that the program was no longer waiting for. There's also the question of "how soon after reboot" the packet came in. If it was immediate, the network connectoid may not have been fully started, which caused a delay in communications, again leading to the program having timed out on the connection that it actually initiated.

    Windows Publisher is a fairly heavy program. It's not all that odd that it would make use of a lot of phone homes to a Microsoft update/service website, especially upon system reboot.
     
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    It's not even in the log, the log is completely empty.

    I don't have a program called 'Microsoft Windows Publisher' installed.
    I did a quick search on the internet, and it may have something to do with either Microsoft/Windows update, MS Works (MS Word 2002 ?), or certificates.

    No other firewall I've ever used mentioned 'Microsoft Windows publisher'.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
Loading...
Thread Status:
Not open for further replies.