That is, some of the block belongs to XO communications -- in particular,
its DSL users :)

Tom Veldhouse
veldy at veldy.net

----- Original Message -----
From: "Thomas T. Veldhouse" <veldy at veldy.net>
To: <tclug-list at mn-linux.org>
Sent: Friday, August 24, 2001 7:48 AM
Subject: Re: [TCLUG] hotmail servers scanning...


> This block is not all Hotmail.  At least some of these (i.e. 64.1.x.x is
XO)
> communications.
>
> Tom Veldhouse
> veldy at veldy.net
>
> ----- Original Message -----
> From: "Joshua b. Jore" <josh at greentechnologist.org>
> To: <tclug-list at mn-linux.org>
> Sent: Thursday, August 23, 2001 10:12 AM
> Subject: Re: [TCLUG] hotmail servers scanning...
>
>
> > Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find
SMTP
> > relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't
> watching?
> > It's just wierdly coordinated - all these different IPs within the same
> ARIN
> > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't
> recognized
> > any IPs I've fed it so I'm not sure what to make of it. I might just
phone
> > the contact for the ARIN block at Hotmail and see if he knows what's
going
> on.
> >
> > Joshua Jore
> > Minneapolis Ward 3, precinct 10
> >   "The irony of this man being imprisoned in the United States and
longing
> > to return to once-Communist Russia so he can regain his right to free
> > speech is simply staggering." - someone else
> >
> > On Thu, 23 Aug 2001, Liz Burke-Scovill wrote:
> >
> > >
> > > Hey, Josh -
> > >
> > > I don't know if this means anything, but while I was working on
locking
> > > down SMTP over here, we were alerted to the problem because earthlink
> was
> > > doing scans to make sure we didn't have any open SMTP relays - not
> always
> > > on the standard port...perhaps hotmail's doing the same thing OR
someone
> > > going through hotmail is trying to find an opening to spam from?
> > >
> > > Liz
> > >
> > > On Thu, 23 Aug 2001, Joshua b. Jore wrote:
> > >
> > > > Nope, the box getting the connections is MS-free. The only reason
> hotmail shoudl be talking to my box is to deliver mail or do DNS in the
> service of mail. In that case I should see connections *to* ports 25 and
53,
> not *from* 25. It's an idea tho. I just don't use MSN Messenger.
> > > >
> > > > Joshua Jore
> > > > Minneapolis Ward 3, precinct 10
> > > >   "The irony of this man being imprisoned in the United States and
> longing
> > > > to return to once-Communist Russia so he can regain his right to
free
> > > > speech is simply staggering." - someone else
> > > >
> > > > On Thu, 23 Aug 2001, doug wrote:
> > > >
> > > > > Are you logged on to msn messenger or logged into the hotmail
> service on any
> > > > > machine? I'm not sure if messenger uses port 25 for anything or
not
> (believe
> > > > > it does), but I know it does use non-standard ports as well. I'd
> find it
> > > > > hard to believe it's trojaned and snooping you but then again it's
> M$ so who
> > > > > really knows what's going on there ;-)
> > > > > ----- Original Message -----
> > > > > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > > > > To: <tclug-list at mn-linux.org>
> > > > > Sent: Wednesday, August 22, 2001 8:03 PM
> > > > > Subject: [TCLUG] hotmail servers scanning...
> > > > >
> > > > >
> > > > > > Just a general issue, I've noticed a few IPs from the
hotmail.com
> IP range
> > > > > > doing some curious scanning. The same IP will try several times
to
> connect
> > > > > to
> > > > > > a specific high port and it's always sourced from the smtp port.
> > > > > >
> > > > > > I'm including a grep from my firewall log where it shows the
> hotmail IP,
> > > > > the
> > > > > > source port, the destination port (where I blocked the access)
and
> how
> > > > > many
> > > > > > times the hotmail IP tried. So what's going on? Is hotmail
> trojaned or
> > > > > > something? Am I just missing something important here?
> > > > > >
> > > > > > 64.4.55.73 25 8546 6
> > > > > > 64.4.55.171 25 10273 6
> > > > > > 64.4.42.33 25 18839 11
> > > > > > 64.4.49.144 25 44093 11
> > > > > > 64.4.56.229 25 42600 7
> > > > > > 64.4.56.203 25 11097 6
> > > > > > 64.4.56.176 25 21336 5
> > > > > > 64.4.55.20 25 40832 10
> > > > > > 64.4.55.155 25 47103 11
> > > > > > 64.4.42.30 25 29489 11
> > > > > > 64.4.50.13 25 48844 11
> > > > > > 64.4.56.226 25 23369 6
> > > > > >
> > > > > > Joshua Jore
> > > > > > Minneapolis Ward 3, precinct 10
> > > > > >   "The irony of this man being imprisoned in the United States
and
> longing
> > > > > > to return to once-Communist Russia so he can regain his right to
> free
> > > > > > speech is simply staggering." - someone else
> > > > > >
> > > > > > _______________________________________________
> > > > > > tclug-list mailing list
> > > > > > tclug-list at mn-linux.org
> > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > >
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > --
> > > Imagination is intelligence having fun...
> > > e-mail:  kethry at winternet.com
> > > URL:  http://WWW.winternet.com/~kethry/index.html
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>