[TCLUG] hotmail servers scanning...

Fri Aug 24 07:48:02 CDT 2001

This block is not all Hotmail.  At least some of these (i.e. 64.1.x.x is XO)
communications.

Tom Veldhouse
veldy at veldy.net

----- Original Message -----
From: "Joshua b. Jore" <josh at greentechnologist.org>
To: <tclug-list at mn-linux.org>
Sent: Thursday, August 23, 2001 10:12 AM
Subject: Re: [TCLUG] hotmail servers scanning...

> Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find SMTP
> relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't
watching?
> It's just wierdly coordinated - all these different IPs within the same
ARIN
> block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't
recognized
> any IPs I've fed it so I'm not sure what to make of it. I might just phone
> the contact for the ARIN block at Hotmail and see if he knows what's going
on.
>
> Joshua Jore
> Minneapolis Ward 3, precinct 10
>   "The irony of this man being imprisoned in the United States and longing
> to return to once-Communist Russia so he can regain his right to free
> speech is simply staggering." - someone else
>
> On Thu, 23 Aug 2001, Liz Burke-Scovill wrote:
>
> >
> > Hey, Josh -
> >
> > I don't know if this means anything, but while I was working on locking
> > down SMTP over here, we were alerted to the problem because earthlink
was
> > doing scans to make sure we didn't have any open SMTP relays - not
always
> > on the standard port...perhaps hotmail's doing the same thing OR someone
> > going through hotmail is trying to find an opening to spam from?
> >
> > Liz
> >
> > On Thu, 23 Aug 2001, Joshua b. Jore wrote:
> >
> > > Nope, the box getting the connections is MS-free. The only reason
hotmail shoudl be talking to my box is to deliver mail or do DNS in the
service of mail. In that case I should see connections *to* ports 25 and 53,
not *from* 25. It's an idea tho. I just don't use MSN Messenger.
> > >
> > > Joshua Jore
> > > Minneapolis Ward 3, precinct 10
> > >   "The irony of this man being imprisoned in the United States and
longing
> > > to return to once-Communist Russia so he can regain his right to free
> > > speech is simply staggering." - someone else
> > >
> > > On Thu, 23 Aug 2001, doug wrote:
> > >
> > > > Are you logged on to msn messenger or logged into the hotmail
service on any
> > > > machine? I'm not sure if messenger uses port 25 for anything or not
(believe
> > > > it does), but I know it does use non-standard ports as well. I'd
find it
> > > > hard to believe it's trojaned and snooping you but then again it's
M$ so who
> > > > really knows what's going on there ;-)
> > > > ----- Original Message -----
> > > > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > > > To: <tclug-list at mn-linux.org>
> > > > Sent: Wednesday, August 22, 2001 8:03 PM
> > > > Subject: [TCLUG] hotmail servers scanning...
> > > >
> > > >
> > > > > Just a general issue, I've noticed a few IPs from the hotmail.com
IP range
> > > > > doing some curious scanning. The same IP will try several times to
connect
> > > > to
> > > > > a specific high port and it's always sourced from the smtp port.
> > > > >
> > > > > I'm including a grep from my firewall log where it shows the
hotmail IP,
> > > > the
> > > > > source port, the destination port (where I blocked the access) and
how
> > > > many
> > > > > times the hotmail IP tried. So what's going on? Is hotmail
trojaned or
> > > > > something? Am I just missing something important here?
> > > > >
> > > > > 64.4.55.73 25 8546 6
> > > > > 64.4.55.171 25 10273 6
> > > > > 64.4.42.33 25 18839 11
> > > > > 64.4.49.144 25 44093 11
> > > > > 64.4.56.229 25 42600 7
> > > > > 64.4.56.203 25 11097 6
> > > > > 64.4.56.176 25 21336 5
> > > > > 64.4.55.20 25 40832 10
> > > > > 64.4.55.155 25 47103 11
> > > > > 64.4.42.30 25 29489 11
> > > > > 64.4.50.13 25 48844 11
> > > > > 64.4.56.226 25 23369 6
> > > > >
> > > > > Joshua Jore
> > > > > Minneapolis Ward 3, precinct 10
> > > > >   "The irony of this man being imprisoned in the United States and
longing
> > > > > to return to once-Communist Russia so he can regain his right to
free
> > > > > speech is simply staggering." - someone else
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > >
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > --
> > Imagination is intelligence having fun...
> > e-mail:  kethry at winternet.com
> > URL:  http://WWW.winternet.com/~kethry/index.html
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>