Tonight I happened to be looking through one of my server’s logs for something and found my ability to do so was being seriously hampered by the amount of crap being logged by iptables logging dropped packets (even though that is rate-limited). I was mildly surprised to note that most of it was like this:

Mar 23 16:26:58 kwak kernel: world>somedom DENY: IN=eth0 OUT=v-somedom SRC=24.64.119.208 DST=192.168.194.1 LEN=512 PROTO=UDP SPT=24642 DPT=1027 LEN=492
Mar 23 16:26:58 kwak kernel: world>somedom DENY: IN=eth0 OUT=v-somedom SRC=24.64.119.208 DST=192.168.194.1 LEN=512 PROTO=UDP SPT=24642 DPT=1026 LEN=492
Mar 23 16:26:58 kwak kernel: world>somedom DENY: IN=eth0 OUT=v-somedom SRC=24.64.119.208 DST=192.168.194.1 LEN=512 PROTO=UDP SPT=24642 DPT=1028 LEN=492
Mar 23 16:26:58 kwak kernel: world>anotherdom DENY: IN=eth0 OUT=v-anotherdom SRC=24.64.124.244 DST=192.168.194.2 LEN=512 PROTO=UDP SPT=31002 DPT=1026 LEN=492
Mar 23 16:26:58 kwak kernel: world>anotherdom DENY: IN=eth0 OUT=v-anotherdom SRC=24.64.124.244 DST=192.168.194.2 LEN=512 PROTO=UDP SPT=31002 DPT=1027 LEN=492
Mar 23 16:26:58 kwak kernel: world>anotherdom DENY: IN=eth0 OUT=v-anotherdom SRC=24.64.124.244 DST=192.168.194.2 LEN=512 PROTO=UDP SPT=31002 DPT=1028 LEN=492

It’s been so long that I had even forgotten what UDP 1026-1028 was all about. It’s WinPopUP — the mechanism by which spammers (used to?) put up dialog boxes on the screens of unfirewalled Windows machines.

At first I thought “stupid spammers,” but if they’re doing it then it must still be working to some degree. This should have been dead and buried since 2002. Sad state of affairs!