Telus → Unsolicited tcp packets from 207.167.198.19 (webmail2.­telus.­net)

My firewall logs the source ip address, protocol and port number of every packet it drops. Since the July time frame, it has been dropping tcp packets from webmail2.telus.net. The port numbers range from 49157 to 65534 (almost 8800 different port numbers), there are anywhere from 1-6 packets from each port, totaling over 12,500 packets, typically a few hundred per day. I only use the telus webmail from my laptop, so I presume these packets are only being received when my laptop is connected to my LAN, which is evenings and weekends.

I called telus tech support today, asking about this. The person I was talking to was pretty clueless, so he ended up going back and forth with his supervisor. Eventually, he said rather than keeping me on the line, he would investigate it further and call me back. An hour later, he called back saying the problem was with my d-link router and that they would have to replace it. I do have a d-link router, but it's only used for the optik and no computers are connected to it. (I have an alu with a pc-based router.) It makes no sense whatsoever that the problem could be with the d-link router.

Has anyone else noticed this behaviour?

Random Guess:
Could be an issue with the SPI firewall timeout and window size. If the server sends some sort of keep alive and your computer doesn't respond quick enough, the firewall might consider the session closed and start dropping the packets.

If you have a hub or a switch with port mirroring, check it with wireshark if you're that concerned about it.

The internet is chock full of unsolicited packets. In this case, you're using the webmail site and it's likely trying to send something back on the originating port for one reason or another such as some sort of keepalive as pb2k mentioned.

Either way, it's nothing to worry about, and above the knowledge level of your average level one Telus tech.

My 00000010bits? How much do you want to dig into this, and how much time and effort are you willing to put into it?

I admit my curiousity's piqued... my initial thoughts is if your logs are also recording date / timestamps as well,
does it match to the exact times you were logged into telus webmail? If so, mystery solved. Another thing to try
is to not log into telus webmail for 24hours, and at the end of the 24hours, check your logs again. If no blocked
packets from telus webmail, again, mystery solved.

...if there are blocked packets but no login into webmail, there may be more digging to do.

pb2k 's suggestion of port mirroring / wireshark is a good idea... logs only tell you the src / dest / protocol
but not what's actually _IN_ the packet.

My 00000010bits

Regards

Let me get you a tinfoil hat ...

This.

Hey, thanks for the useful reply. Not.

I realize this isn't the end of the world. It wasn't happening before and it's strange. I'm just wondering what's causing it and if anyone else has noticed it. That's all.

The only port that IP address responds to in the first 255 is port 80, which suggests that it is strictly a Web server. The high originating port number also suggests that it is originating the request and not responding to one from yourself. TCP/IP will use the first available port starting at the top when attempting to make a connection. Because the number is high suggests that it is not something that it does frequently. Once used, a port has to time out before it can be used again. It is an interesting situation, but without knowing what port it is attempting to make a connection with, it is difficult to say what is happening.

...'s why they call it "troubleshooting" in my day job.

Regards