"Peter" <me@privacy.net> wrote in message
news:sfidnRyUYPbaYQbZnZ2dnUVZ8sydnZ2d@pipex.net...
> If this is OT, then I apologise.
>
> I'm running 2003 Standard, basically to host my wife's hobby sites.
>
> I monitor the logs for intrusion attempts, and persistent offenders get
> barred using a simple IPSEC implementation.
>
> However, I cannot stop a plague of visits from msnbot/0.9 supposedly
> originating from IP 65.55.246.129
>
> My thoughts are:
>
> 1. IPSEC isn't working (but I've tested it and it appears OK)
> 2. M$ have left themselves a backdoor (unlikely, I would hope)
> 3. msnbot is spoofing it's IP
>
> Any thoughts?

> From where are you getting the IP? The IIS logs?

> IPsec uses the IP as actually in use, where as the IP logged in
> the IIS logs seems to be from the http headers. I have run into
> this before when trying to subvert pests with IPsec barring rules
> when apparently the originating machine is behind a NAT so
> that there is an outer IP in actual use by the network stack
> that you much determine in order to block with IPsec.

"Peter" <me@privacy.net> wrote in message
news:i8SdnRNR9571jgHZRVnytA@pipex.net...
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in news:uwo7hjtlGHA.1240
> @TK2MSFTNGP05.phx.gbl:
>
>> From where are you getting the IP? The IIS logs?
>
> Yes
>
>> IPsec uses the IP as actually in use, where as the IP logged in
>> the IIS logs seems to be from the http headers. I have run into
>> this before when trying to subvert pests with IPsec barring rules
>> when apparently the originating machine is behind a NAT so
>> that there is an outer IP in actual use by the network stack
>> that you much determine in order to block with IPsec.
>
> So it seems.
>
> Thanks for replying...
>
> I can always fall back on to plan 'B' (which is a home-grown ISAPI filter
> on the 'mod_rewrite' principle) so it's not the end of the world, but can
> IPSEC (or any other IIS feature) be persuaded to part with the 'true' IP
> information I want?
>
> (2003 + SP1, if that is relevant)

On Fri, 23 Jun 2006 09:35:51 -0500, Peter <me@privacy.net> wrote:

>If this is OT, then I apologise.
>
>I'm running 2003 Standard, basically to host my wife's hobby sites.
>
>I monitor the logs for intrusion attempts, and persistent offenders get
>barred using a simple IPSEC implementation.
>
>However, I cannot stop a plague of visits from msnbot/0.9 supposedly
>originating from IP 65.55.246.129
>
>My thoughts are:
>
>1. IPSEC isn't working (but I've tested it and it appears OK)
>2. M$ have left themselves a backdoor (unlikely, I would hope)
>3. msnbot is spoofing it's IP
>
>Any thoughts?