Strange packets from Verisign Sitefinder

[Ralf G <gue () alphatel de>]

Hi list

I am seeing strange packets coming from Verisign's sitefinder in my firewall logs. It appears, that they are SYN-ACK 
packets sent to unused addresses in our registered address space. My theory is, that someone else has spoofed the 
source addresses in an initial http connection to Sitefinder, but the reply packets are then routed to the rightful 
owner of these addresses (us). 

Here is a sample package dump: 

13:41:55.458798 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.56.1959: S 
246336671:246336671(0) ack 1099366401 win 16384 (ttl 87, id 256)
13:41:55.941884 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.115.1178: S 
154406256:154406256(0) ack 530055169 win 16384 (ttl 87, id 256)
13:41:56.081523 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.193.88.1709: S 
17910271:17910271(0) ack 755564545 win 16384 (ttl 87, id 256)
13:41:56.814659 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.194.147.1696: S 
72446775:72446775(0) ack 186253313 win 16384 (ttl 87, id 256)
13:41:57.324028 0:b0:c2:8b:bf:76 0:c0:95:e2:32:66 ip 60: sitefinder-idn.verisign.com.http > 193.227.195.206.1915: S 
327185891:327185891(0) ack 1764425729 win 16384 (ttl 87, id 256)

These packets arrive here in vast numbers. Does anyone have any ideas what else could cause this and what I could do 
about it? So far, I don't see that I can do much about it

Any ideas appreciated
Ralf G.

---------------------------------------------------------------------------
----------------------------------------------------------------------------