port 6801 and Netzero

["Brian Collins" <bcollins () newnanutilities org>]

Howdy folks.

I noticed recently that one of our NAT pool IPs was reported for a good bit of port 6801 activity 
(http://www.dshield.org/ipdetails.php?ip=066.216.217.010), and that port 6801 seems to have spiked some this week 
(http://isc.sans.org//port_details.php?port=6801).  So I started listening for hosts on that particular network of ours 
who were talking on port 6801.  I managed to get an entire session between one of our customers and an IP assigned to 
United Online, which apparently sells Netzero and other dialup services.  This seems to be innocuous, but is odd 
nonetheless.  The destination IP has a host name (searchap.untd.com).  Now, I don't think this is related to the other 
port 6801 traffic coming off this network, but I'd like to know what this thing is doing.  Has anyone else seen Netzero 
or other dialup apps do this?  Looking at it with Ethereal, it does an http post to the host, has what looks like a 
request, and has a response, the data of which are unintelligible to me.  One of the cookies implies it's somehow 
related to Netzero (Cookie: brand=NZ).

If I had to guess, I'd say someone loaded Netzero on the machine at some point.  Now, that machine is plugged into our 
cable modem network, and perhaps the dialup software or something else installed by/with Netzero is phoning home for 
whatever reason.  But that's pure speculation.

Packet capture here: http://misweb.newnanutilities.org/packetdump/

Thanks,
--Brian Collins