[TCLUG] hotmail servers scanning...

Thu Aug 23 10:12:57 CDT 2001

Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find SMTP
relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't watching?
It's just wierdly coordinated - all these different IPs within the same ARIN
block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't recognized
any IPs I've fed it so I'm not sure what to make of it. I might just phone
the contact for the ARIN block at Hotmail and see if he knows what's going on.

Joshua Jore
Minneapolis Ward 3, precinct 10
  "The irony of this man being imprisoned in the United States and longing
to return to once-Communist Russia so he can regain his right to free
speech is simply staggering." - someone else

On Thu, 23 Aug 2001, Liz Burke-Scovill wrote:

>
> Hey, Josh -
>
> I don't know if this means anything, but while I was working on locking
> down SMTP over here, we were alerted to the problem because earthlink was
> doing scans to make sure we didn't have any open SMTP relays - not always
> on the standard port...perhaps hotmail's doing the same thing OR someone
> going through hotmail is trying to find an opening to spam from?
>
> Liz
>
> On Thu, 23 Aug 2001, Joshua b. Jore wrote:
>
> > Nope, the box getting the connections is MS-free. The only reason hotmail shoudl be talking to my box is to deliver mail or do DNS in the service of mail. In that case I should see connections *to* ports 25 and 53, not *from* 25. It's an idea tho. I just don't use MSN Messenger.
> >
> > Joshua Jore
> > Minneapolis Ward 3, precinct 10
> >   "The irony of this man being imprisoned in the United States and longing
> > to return to once-Communist Russia so he can regain his right to free
> > speech is simply staggering." - someone else
> >
> > On Thu, 23 Aug 2001, doug wrote:
> >
> > > Are you logged on to msn messenger or logged into the hotmail service on any
> > > machine? I'm not sure if messenger uses port 25 for anything or not (believe
> > > it does), but I know it does use non-standard ports as well. I'd find it
> > > hard to believe it's trojaned and snooping you but then again it's M$ so who
> > > really knows what's going on there ;-)
> > > ----- Original Message -----
> > > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > > To: <tclug-list at mn-linux.org>
> > > Sent: Wednesday, August 22, 2001 8:03 PM
> > > Subject: [TCLUG] hotmail servers scanning...
> > >
> > >
> > > > Just a general issue, I've noticed a few IPs from the hotmail.com IP range
> > > > doing some curious scanning. The same IP will try several times to connect
> > > to
> > > > a specific high port and it's always sourced from the smtp port.
> > > >
> > > > I'm including a grep from my firewall log where it shows the hotmail IP,
> > > the
> > > > source port, the destination port (where I blocked the access) and how
> > > many
> > > > times the hotmail IP tried. So what's going on? Is hotmail trojaned or
> > > > something? Am I just missing something important here?
> > > >
> > > > 64.4.55.73 25 8546 6
> > > > 64.4.55.171 25 10273 6
> > > > 64.4.42.33 25 18839 11
> > > > 64.4.49.144 25 44093 11
> > > > 64.4.56.229 25 42600 7
> > > > 64.4.56.203 25 11097 6
> > > > 64.4.56.176 25 21336 5
> > > > 64.4.55.20 25 40832 10
> > > > 64.4.55.155 25 47103 11
> > > > 64.4.42.30 25 29489 11
> > > > 64.4.50.13 25 48844 11
> > > > 64.4.56.226 25 23369 6
> > > >
> > > > Joshua Jore
> > > > Minneapolis Ward 3, precinct 10
> > > >   "The irony of this man being imprisoned in the United States and longing
> > > > to return to once-Communist Russia so he can regain his right to free
> > > > speech is simply staggering." - someone else
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
>
> --
> Imagination is intelligence having fun...
> e-mail:  kethry at winternet.com
> URL:  http://WWW.winternet.com/~kethry/index.html
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>