[TCLUG] hotmail servers scanning...

Fri Aug 24 10:00:02 CDT 2001

Yes, but the 64.4.x.x is owned by Hotmail...
MS Hotmail (NETBLK-HOTMAIL)
   1065 La Avenida
   Mountain View, CA 94043
   US

   Netname: HOTMAIL
   Netblock: 64.4.0.0 - 64.4.63.255

   Coordinator:
      Myers, Michael  (MM520-ARIN)  icon at HOTMAIL.COM
      650-693-7072

   Domain System inverse mapping provided by:

   NS1.HOTMAIL.COM		216.200.206.140
   NS3.HOTMAIL.COM		209.185.130.68

   Record last updated on 09-Jan-2001.
   Database last updated on 23-Aug-2001 23:14:12 EDT.

<from that nifty ARIN tool...http://www.arin.net/whois/index.html>

MK

On Fri, 24 Aug 2001, Thomas T. Veldhouse wrote:

> This block is not all Hotmail.  At least some of these (i.e. 64.1.x.x is XO)
> communications.
> 
> Tom Veldhouse
> veldy at veldy.net
> 
> ----- Original Message -----
> From: "Joshua b. Jore" <josh at greentechnologist.org>
> To: <tclug-list at mn-linux.org>
> Sent: Thursday, August 23, 2001 10:12 AM
> Subject: Re: [TCLUG] hotmail servers scanning...
> 
> 
> > Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find SMTP
> > relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't
> watching?
> > It's just wierdly coordinated - all these different IPs within the same
> ARIN
> > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't
> recognized
> > any IPs I've fed it so I'm not sure what to make of it. I might just phone
> > the contact for the ARIN block at Hotmail and see if he knows what's going
> on.
> >
> > Joshua Jore
> > Minneapolis Ward 3, precinct 10
> >   "The irony of this man being imprisoned in the United States and longing
> > to return to once-Communist Russia so he can regain his right to free
> > speech is simply staggering." - someone else
> >
> > On Thu, 23 Aug 2001, Liz Burke-Scovill wrote:
> >
> > >
> > > Hey, Josh -
> > >
> > > I don't know if this means anything, but while I was working on locking
> > > down SMTP over here, we were alerted to the problem because earthlink
> was
> > > doing scans to make sure we didn't have any open SMTP relays - not
> always
> > > on the standard port...perhaps hotmail's doing the same thing OR someone
> > > going through hotmail is trying to find an opening to spam from?
> > >
> > > Liz
> > >
> > > On Thu, 23 Aug 2001, Joshua b. Jore wrote:
> > >
> > > > Nope, the box getting the connections is MS-free. The only reason
> hotmail shoudl be talking to my box is to deliver mail or do DNS in the
> service of mail. In that case I should see connections *to* ports 25 and 53,
> not *from* 25. It's an idea tho. I just don't use MSN Messenger.
> > > >
> > > > Joshua Jore
> > > > Minneapolis Ward 3, precinct 10
> > > >   "The irony of this man being imprisoned in the United States and
> longing
> > > > to return to once-Communist Russia so he can regain his right to free
> > > > speech is simply staggering." - someone else
> > > >
> > > > On Thu, 23 Aug 2001, doug wrote:
> > > >
> > > > > Are you logged on to msn messenger or logged into the hotmail
> service on any
> > > > > machine? I'm not sure if messenger uses port 25 for anything or not
> (believe
> > > > > it does), but I know it does use non-standard ports as well. I'd
> find it
> > > > > hard to believe it's trojaned and snooping you but then again it's
> M$ so who
> > > > > really knows what's going on there ;-)
> > > > > ----- Original Message -----
> > > > > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > > > > To: <tclug-list at mn-linux.org>
> > > > > Sent: Wednesday, August 22, 2001 8:03 PM
> > > > > Subject: [TCLUG] hotmail servers scanning...
> > > > >
> > > > >
> > > > > > Just a general issue, I've noticed a few IPs from the hotmail.com
> IP range
> > > > > > doing some curious scanning. The same IP will try several times to
> connect
> > > > > to
> > > > > > a specific high port and it's always sourced from the smtp port.
> > > > > >
> > > > > > I'm including a grep from my firewall log where it shows the
> hotmail IP,
> > > > > the
> > > > > > source port, the destination port (where I blocked the access) and
> how
> > > > > many
> > > > > > times the hotmail IP tried. So what's going on? Is hotmail
> trojaned or
> > > > > > something? Am I just missing something important here?
> > > > > >
> > > > > > 64.4.55.73 25 8546 6
> > > > > > 64.4.55.171 25 10273 6
> > > > > > 64.4.42.33 25 18839 11
> > > > > > 64.4.49.144 25 44093 11
> > > > > > 64.4.56.229 25 42600 7
> > > > > > 64.4.56.203 25 11097 6
> > > > > > 64.4.56.176 25 21336 5
> > > > > > 64.4.55.20 25 40832 10
> > > > > > 64.4.55.155 25 47103 11
> > > > > > 64.4.42.30 25 29489 11
> > > > > > 64.4.50.13 25 48844 11
> > > > > > 64.4.56.226 25 23369 6
> > > > > >
> > > > > > Joshua Jore
> > > > > > Minneapolis Ward 3, precinct 10
> > > > > >   "The irony of this man being imprisoned in the United States and
> longing
> > > > > > to return to once-Communist Russia so he can regain his right to
> free
> > > > > > speech is simply staggering." - someone else
> > > > > >
> > > > > > _______________________________________________
> > > > > > tclug-list mailing list
> > > > > > tclug-list at mn-linux.org
> > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > >
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > --
> > > Imagination is intelligence having fun...
> > > e-mail:  kethry at winternet.com
> > > URL:  http://WWW.winternet.com/~kethry/index.html
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> 

-- 
________________________________________________________
ReadyNET Go!, Inc.  -  Building your Business on the net
________________________________________________________

Mark J. Kroska
MIS Director

320.656.0765 Voice
888.447.3239 Toll Free
320.203.7052 Fax
http://www.readynetgo.com
mailto:mkroska at readynetgo.com
________________________________________________________