Having Comodo in "high" mode to check what servers programs contact I notice "svchost.exe" that constantly tries to conect lots of servers of different IP's at port 80 and 443. Anyone know what this is? The list of servers include:
Yes, this is Windows' Automatic Updates. And if you didn't know this, then you've understand the reason why you should not run any host-based packet filter or firewall without a clue.
Akamai serves the images and streaming content for many of the most popular Internet web-sites. When you connect to a web-site your browser first contacts the content provider and downloads an html file. This file contains embedded URLs that tell your browser where to find all the objects necessary to finish displaying the page. In the case of an "Akamaized" site, these URLs point to the Akamai Network. Next, your browser makes connections to the URLs to obtain the images or streaming content. Again, for an "Akamaized" site, your browser will contact an Akamai server to obtain the requested items. Generally a TCP server listens on a well-known port < 1023 (for example port 80 for HTTP), and a TCP client connects from a port > 1023 assigned by the operating system. So a connection from port 80 of the Akamai server to a high numbered port on your machine, is a normal HTTP transaction. If you'd like to learn more visit the FAQ at
formatting link
whois 207.46.209.124 ???
GeekTools Whois Proxy v5.0.4 Ready. Final results obtained from whois.arin.net. Results:
OrgName: Microsoft Corp OrgID: MSFT Address: One Microsoft Way City: Redmond StateProv: WA PostalCode: 98052 Country: US
But if you use the CyberAbuse Whois look-up they are all listed as MS ip addresses. In fact, I think it is safe to say that all 207.46.x.x numbers belong to MS
I've given advice: It's definitely Windows Automatic Updates, as he suspected.
It's not even arrogant, it's just the truth. For actually gaining security with packet filter you required in-depth knowledge about TCP/IP and networking, including an understanding and overview of the hosts' services involved in your scenario. You can try without, but you won't achieve any security. But oh, it's so arrogant telling him about his misconception...
...said someone who is abusing Outlook Express as a newsreader, in a security-related group. Nuff said.
Why should they have done this? It's good practice, but not required, to create PTR records in DNS. The hosts in question apparently are backend servers for Windows Update, maybe loadbalanced by Round Robin DNS.
Keep in mind, though, that whois and nslookup do entirely different things. whois, when fed an IP address, returns information on the owner of the netblock the IP in question belongs to. nslookup OTOH returns a name resolved by a PTR record when fed an IP address. If there's no PTR record for that address, nslookup will certainly fail.
It would have made it easier to deside if to allow/disallow access if you knew the name of the machine (them you could say "a-ha, it's that software trying to connect to it's update server, or similar...)
ORLY? Then how about your firewall reporting that there's traffic to someserver.windowsupdate.com. Would you approve that? How about windows-update.com, windowsupdate.net, windowsupdates.com or winupdate.org? Which of them would you approve? Which not? And why?
No approval for any. As we all know windowsupdate.com was a spoofing site from earlier time and got aquired by Microsoft, thus there's no reason to involve it with Windows Update. However, Microsoft to do this on their own, so at least Windows Update v6 requires access to
'nslookup' queries name servers. If the fools running the name servers don't know how to set them up, or don't care, then the information will not be there. You could use 'whois' which queries the registrar data bases, but microsoft didn't think you'd need to know that information, and didn't include the tool. There are toy web tools that can be used to query those servers.
Microsoft follow standards??? What a bizarre concept. They can't follow their own standards, why do you think they might even know about international standards?
That's the excuse used by all arrogant people. What they don't understand (have never been taught) is how to tell the truth in a diplomatic way. Prejudice against Outlook Express users is just such arrogance. Ridicule Microsoft if you must but leave the users alone.
Huh? This was the diplomatic way. I respectfully pointed out the problem in his misconception.
What prejudice? Outlook Express and security being mutually exclusive is a well-known fact, so that why I should not expect any serious security advice from OE users.
On the other hand, if the header information was not genuine, I'd ask myself why anyone would spoof OE as useragent...
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.