My question comes about because my Netgear router had to be exchanged for a
new unit. I was using Sygate Personal Firewall (Free) at the time, and was
receiving daily reports of others trying to scan my ports. So I downloaded
Sygate Personal Firewall Pro to enhance protection while I was without a
hardware firewall.

I quickly became interested in the Traffic Log, after learning of the
different logs (security, packet, system and traffic) that the application
offered. And I began paying careful attention to it, clearing it often
before conducting any web activities so I could see what was happening.

I now know that everytime I try to download a page from a Yahoo website with
a particular IP address (i.e. 216.109.126.22 for My Yahoo), in less than a
thousand milliseconds my computer tries to send TCP data packets to
us.a1.yimg.com (206.18.104.200), us.i1.yimg.com (12.129.72.136), and
us.news1.yimg.com (12.129.72.144). I've blocked these from going out, and
nearly all other traffic as well, establishing very narrow ranges of safe IP
addresses my software firewall will permit communication with. And that's
the tip of the iceberg. If I try to download the comic from www.dilbert.com
(65.114.4.69), my computer tries to send data packets to
adsremote.scripps.com (204.78.38.15). The list goes on and on and on; these
are just a few examples.

Now that I'm blocking these 'extraneous' data packets from being sent, the
web pages I want to see take 30 seconds to 5 minutes to download, instead of
the usual couple seconds. But they do download eventually. Which tells me
that the data packets being sent out without my permission to other IP
addresses aren't neccessary for me to see the web pages I want. Call it
paranoia, but I can only suspect that the data packets I'm blocking contain
personal data such as my browsing habits going to marketing firms and the
like. I completely erased all of the cookies I had, but this had no effect
at all. Which isn't surprising, since the same kind of behavior (unwanted
data packets going to odd IP addresses) occurs even when I visit a new
website for the first time.

So as I said, I've configured Sygate Personal Firewall with a very narrow
set of IP addresses that information can be sent or received from. I build
up the set of "good IP's" each time I try connecting to a website by looking
at the traffic log, seeing the IP that was blocked when I tried to connect
to a desired website, and then including that IP into the allowed range of
good IPs. And I'm steering clear of sites that want data packets sent to
various alternative IPs when I try to download a webpage, looking for
alternative sites for reading news and other activities.

So the key question I have is this: is there a legitimate reason why my
computer should be sending a data packet to adsremote.scripps.com
(204.78.38.15) when I try to read the daily Dilbert comic (65.114.4.69)?
Other than the initial request from my browser to download the .html file(s)
from a website, why should my browser be sending anything to anywhere else?
I'm not a programmer or networking specialist, but I would sincerely like to
know what's in those datapackets I'm blocking from leaving my computer. For
the moment I'm just building my rules of which IPs are "safe" for my
computer to communicate with, so I can visit an increasing number of
websites. But I see no reason why I should be supplying any group or
business with any data from my computer when its obviously not neccessary
for the webpage I want to download to my computer. It may be extremely
inconvenient waiting five minutes for a webpage to download, but if somebody
wants information from me they should tell me, and possibly be paying me for
it. I realize that they are providing me a service when I download a webpage
from them. But as I said, I am steering away from those websites to
alternatives that aren't mining my computer for information.

Are my assumptions in this totally wrong? Or am I right in assuming there is
no legitimate reason why I should be sending data packets anywhere other
than the IP address from which I requested the web page.

Web sites do use browser redirects where you are viewing the context of a
Web page while the browser is being redirected to another Website for
uploading or downloading of information to or from your machine.

That's everyday life of surfing the Internet. Am I going to worry about
trying to stop everything leaving my machines, the answer is no.

I use the HOST as a prevention measure that helps stop the browser
redirects as much as possible and go on about my business and use Ad-aware
on a routine basis.

http://www.mvps.org/winhelp2002/hosts.htm
http://www.snapfiles.com/get/hoststoggle.html

I also do some security configuration of the browser as well.

Duane

"Jeff" <jeff@nospam.net> wrote in
news:QwtRc.250317$JR4.100228@attbi_s54:

Most freely accessible websites run some form of advertisement/banner
service. I guess you will have to live with it. This ad service may is
either run by themselves, or by specialised 3d party companies.

( you'd be amazed where CNN,FoxNews,CBS & al take you to stuff you with
ads!)

This is part of the sourcecode of www.dilbert.com:


<script language="JavaScript1.1"
src="http://adsremote.scripps.com/js.ng/site=DLBT&adtype=SUPERSTITIAL&Pag
ePos=1">
</script>


A simple dig reveals that www.dilbert.com is actually located at
umns1.unitedmedia.com, and that the DNS-servers are ...
ns1/2.scripps.com, belonging to the same domain as adsremote.


C:\dig>dig www.dilbert.com
;; QUESTION SECTION:
;www.dilbert.com. IN A

;; ANSWER SECTION:
www.dilbert.com. 3263 IN A 65.114.4.69

;; AUTHORITY SECTION:
dilbert.com. 3263 IN NS umns1.unitedmedia.com.
dilbert.com. 3263 IN NS ns1.scripps.com.
dilbert.com. 3263 IN NS ns2.scripps.com.

;; ADDITIONAL SECTION:
umns1.unitedmedia.com. 45917 IN A 65.114.4.10
ns1.scripps.com. 45917 IN A 204.78.32.10
ns2.scripps.com. 45917 IN A 209.215.174.32


Frankly, what you are trying to achieve is a waist of time.
It is perfectly normal/legal that a web page contains links to other
domains, after all that's what the World Wide Web is all about!

It is unfeasable to sift through each and every URL any given webpage may
contain. If you're concerned about your privacy, then use some anonymizer
service.

Finally, if you're really concerned about security, then ditch IE & OE
*now*. Even if you installed the latest patches, it will only be a matter
of time before the next security hole will surface.


--
Dirk.
No trees were killed in the creation of this message;
however, many electrons were terribly inconvenienced.
http://users.pandora.be/dirk.claessens2

I already use Avant browser. I disable Active X and Flash animations, but I
still typically allow scripts to run and applets. Ad Blocker and Popup
Stopper are also running. But if the packets being sent from my computer
are the result of browser redirects, why doesn't my traffic log show an
incoming packet from either the original IP I wanted, or from the IP of the
redirect? Maybe I don't understand the exact nature of the traffic log.
When I tried to work with the Packet Log, it usually hung up and I would
have to use the Task Manager to terminate it. The packet log just
accumulated too much data too quickly, and the Sygate app wasn't very good
at resorting the log so that you could investigate it by reorganizing the
list by remote host or some other parameter you wanted to sort by. I reset
the Packet Log size liit to a much smaller value of perhaps 512 kB, but
haven't tried opening it since. Maybe I should watch it at the same time as
the Traffic Log.

How would an Anonymizer protect the information they are capturing? I can
always go through an anonymous proxy - I have a list and a utility for
switching between my direct connection and any of the anonymous public
proxies I pick up IPs for. But that doesn't change the fact that the
packets are coming from my computer, even if they don't have my IP. There
may still be personal information in the data packet, even though its not
coming from my IP anymore. I'd feel better if I could intercept this
information and see what was contained there. But that is beyond my realm of
knowledge at this time.

And I don't understand exactly how a HOSTS file will protect me from this.
I can sift through my HOSTS file, but I doubt it contains any of the URLs
I'm trying to avoid sending packets to. The Avant browser already has a
rather comprehensive Ad and popup blacklist, which is updated with each
revision of the browser. The last build just came out about two weeks ago.

So as I say, without knowing whats in those packets trying to be sent from
my computer, I'm going to keep blocking them from leaving. My question
remains the same - is this legitimate traffic going from my computer, or are
they data mining my computer without telling me? The traffic log gives the
domain names as well as the IPs of the remote hosts, and some of them have
been pretty wacky.

Thanks for your time.



"Dirk Claessens" <will.bounce@invalid> wrote in message
news:Xns953FD80977885FlyingCircus@195.130.132.70.. .

You're sitting there with a Netgear router that has logging and you're
using Sygate?

May I suggest that you use Kwiw SysLog Daemon and dump the daily logs
into a database like MS Access through ODBC and you can run Access
reports and get a better picture as to what the router is seeing for
inbound and outbound traffic to/from the router.

There are Websites that have Host file updates and you yourself can add a
Domain Name to the Host file using 127.0.0.1 the Loopback IP.

Not only does the Host file with an Domain Name pointing to the Loopback
IP stop the browser from being redirected, but it will also stop malware
that doesn't need the browser (running as a background process) from
making contact with a site when the malware using a URL in program code
tries to do a DNS lookup to resolve the IP. If the Host file is in play,
then the O/S goes to the Host file to resolve it which has the Loopback
IP instead of going to the ISP to resolve the URL to IP and making
contact with the site.

Duane

In article <QwtRc.250317$JR4.100228@attbi_s54>, jeff@nospam.net says...
they are). Many web pages that has advertising us this as a source
for the ads. Also, much of the free software that has advertising
use this. When using free Opera browser for example, you will find:

cdn1.adsdk.com
opera1-servedby.advertising.com
ins1.opera.com
ins2.opera.com
tribalfusion.com
a.tribalfusion.com
pagead-us.googlesyndication.com

Sygate logging is excellent. Without it, you really don't know
whats going on with the in/out of your computer. I look at the
traffic log daily.

Duane Arnold wrote:

Pseudo-security by obscurity. Malware authors cannot be relied upon to use
the DNS instead of hard-coded IP addresses.

Thor

--
http://www.anta.net/

http://www.accs-net.com/hosts/what_is_hosts.html
http://www.mvps.org/winhelp2002/hosts.htm
Casey

Thor Kottelin <thor@anta.net> wrote in news:411695ED.61BA4E30@anta.net:

The more hard core programmer of course not, but I am a lazy programmer
that will take the easy way out by just coding in the URL in code as do
many I would suspect. I have done a little malware testing using IPsec
and using its DNS rule feature to block access by the browser to a site
along with it stopping the back ground process as well.

I will say that I am not an authority in writing malware programs either.

The Host is not a stop all ends all solution but it does help in a
limited capacity from a home user stand point, IMHO.

Duane

I d/l all the Kiwi software, daemon, logger, MIB, viewer. I followed the
setup instructions on the Kiwi site for other Netgear routers since my own
wasn't listed. Then I found out that my Netgear router MR814 v2 won't
generate security logs. The only log files it generates are attempts to
visit blocked sites.


"Duane Arnold" <notme@notme.com> wrote in message
news:Xns953FA21E6CBD6notmenotmecom@204.127.204.17. ..

"Jeff" <jeff@nospam.net> wrote in
news:A6BRc.252725$JR4.130507@attbi_s54:

The next router you puchase you should make sure it can do logging.

Duane

09Aug2004
Most web sites embed links to other web sites. This link describes what
happens when you load a page.
http://www.surferprotectionprogram.c...user_manual.ht
m#qstart_whathappens
(Note that you may have to concatenate the url listed above. It starts with
"http" and ends with "whathappens".)

The reason your pages are now taking so long is that you have stopped
portions of the pages from loading. These portions must timeout before the
page finishes loading. For the dilbert example, you need to allow the sites
that begin with:

http://adsremote.scripps.com/html.ng/
and
http://adsremote.scripps.com/js.ng/

If you a allow these urls, they will load then tell the browser to go get a
page from
http://adfarm.mediaplex.com/ad/
This page you want to block.

It helps to have a tool that can show you all of the pages that load when
you load www.dilbert.com. The http proxy from the manual above lets you use
regular expressions to block sites and to permit sites. It turns out, there
are just a handful of patterns required to efficiently block advertisers and
fewer patterns that must be allowed. There is no standard, it just happens
that everyone uses similar naming conventions. In dilbert, the /html.ng/
pattern is permitted, but the /ad/ pattern is blocked. When using the http
proxy, even though you permit hte /html.ng/, the proxy strips several tags
out of the outinging http request - so your privacy is maintained.

Two nice things about using an http proxy:
1. all of your http tools can be directed to us it, not just your
browser.
2. once you start blocking advertisers, most of the pop-ups stop
appearing.


"Jeff" <jeff@nospam.net> wrote in message
news:QwtRc.250317$JR4.100228@attbi_s54...
<deleted>