The guy below said this:

> ARIN
> > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't

64.1.x.x is in this range.  It is owned by XO.

Tom Veldhouse
veldy at veldy.net

----- Original Message -----
From: "Mark K" <mkroska at readynetgo.com>
To: <tclug-list at mn-linux.org>
Sent: Friday, August 24, 2001 10:00 AM
Subject: Re: [TCLUG] hotmail servers scanning...


> Yes, but the 64.4.x.x is owned by Hotmail...
> MS Hotmail (NETBLK-HOTMAIL)
>    1065 La Avenida
>    Mountain View, CA 94043
>    US
>
>    Netname: HOTMAIL
>    Netblock: 64.4.0.0 - 64.4.63.255
>
>    Coordinator:
>       Myers, Michael  (MM520-ARIN)  icon at HOTMAIL.COM
>       650-693-7072
>
>    Domain System inverse mapping provided by:
>
>    NS1.HOTMAIL.COM 216.200.206.140
>    NS3.HOTMAIL.COM 209.185.130.68
>
>    Record last updated on 09-Jan-2001.
>    Database last updated on 23-Aug-2001 23:14:12 EDT.
>
>
> <from that nifty ARIN tool...http://www.arin.net/whois/index.html>
>
> MK
>
>
> On Fri, 24 Aug 2001, Thomas T. Veldhouse wrote:
>
> > This block is not all Hotmail.  At least some of these (i.e. 64.1.x.x is
XO)
> > communications.
> >
> > Tom Veldhouse
> > veldy at veldy.net
> >
> > ----- Original Message -----
> > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > To: <tclug-list at mn-linux.org>
> > Sent: Thursday, August 23, 2001 10:12 AM
> > Subject: Re: [TCLUG] hotmail servers scanning...
> >
> >
> > > Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find
SMTP
> > > relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't
> > watching?
> > > It's just wierdly coordinated - all these different IPs within the
same
> > ARIN
> > > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't
> > recognized
> > > any IPs I've fed it so I'm not sure what to make of it. I might just
phone
> > > the contact for the ARIN block at Hotmail and see if he knows what's
going
> > on.
> > >
> > > Joshua Jore
> > > Minneapolis Ward 3, precinct 10
> > >   "The irony of this man being imprisoned in the United States and
longing
> > > to return to once-Communist Russia so he can regain his right to free
> > > speech is simply staggering." - someone else
> > >
> > > On Thu, 23 Aug 2001, Liz Burke-Scovill wrote:
> > >
> > > >
> > > > Hey, Josh -
> > > >
> > > > I don't know if this means anything, but while I was working on
locking
> > > > down SMTP over here, we were alerted to the problem because
earthlink
> > was
> > > > doing scans to make sure we didn't have any open SMTP relays - not
> > always
> > > > on the standard port...perhaps hotmail's doing the same thing OR
someone
> > > > going through hotmail is trying to find an opening to spam from?
> > > >
> > > > Liz
> > > >
> > > > On Thu, 23 Aug 2001, Joshua b. Jore wrote:
> > > >
> > > > > Nope, the box getting the connections is MS-free. The only reason
> > hotmail shoudl be talking to my box is to deliver mail or do DNS in the
> > service of mail. In that case I should see connections *to* ports 25 and
53,
> > not *from* 25. It's an idea tho. I just don't use MSN Messenger.
> > > > >
> > > > > Joshua Jore
> > > > > Minneapolis Ward 3, precinct 10
> > > > >   "The irony of this man being imprisoned in the United States and
> > longing
> > > > > to return to once-Communist Russia so he can regain his right to
free
> > > > > speech is simply staggering." - someone else
> > > > >
> > > > > On Thu, 23 Aug 2001, doug wrote:
> > > > >
> > > > > > Are you logged on to msn messenger or logged into the hotmail
> > service on any
> > > > > > machine? I'm not sure if messenger uses port 25 for anything or
not
> > (believe
> > > > > > it does), but I know it does use non-standard ports as well. I'd
> > find it
> > > > > > hard to believe it's trojaned and snooping you but then again
it's
> > M$ so who
> > > > > > really knows what's going on there ;-)
> > > > > > ----- Original Message -----
> > > > > > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > > > > > To: <tclug-list at mn-linux.org>
> > > > > > Sent: Wednesday, August 22, 2001 8:03 PM
> > > > > > Subject: [TCLUG] hotmail servers scanning...
> > > > > >
> > > > > >
> > > > > > > Just a general issue, I've noticed a few IPs from the
hotmail.com
> > IP range
> > > > > > > doing some curious scanning. The same IP will try several
times to
> > connect
> > > > > > to
> > > > > > > a specific high port and it's always sourced from the smtp
port.
> > > > > > >
> > > > > > > I'm including a grep from my firewall log where it shows the
> > hotmail IP,
> > > > > > the
> > > > > > > source port, the destination port (where I blocked the access)
and
> > how
> > > > > > many
> > > > > > > times the hotmail IP tried. So what's going on? Is hotmail
> > trojaned or
> > > > > > > something? Am I just missing something important here?
> > > > > > >
> > > > > > > 64.4.55.73 25 8546 6
> > > > > > > 64.4.55.171 25 10273 6
> > > > > > > 64.4.42.33 25 18839 11
> > > > > > > 64.4.49.144 25 44093 11
> > > > > > > 64.4.56.229 25 42600 7
> > > > > > > 64.4.56.203 25 11097 6
> > > > > > > 64.4.56.176 25 21336 5
> > > > > > > 64.4.55.20 25 40832 10
> > > > > > > 64.4.55.155 25 47103 11
> > > > > > > 64.4.42.30 25 29489 11
> > > > > > > 64.4.50.13 25 48844 11
> > > > > > > 64.4.56.226 25 23369 6
> > > > > > >
> > > > > > > Joshua Jore
> > > > > > > Minneapolis Ward 3, precinct 10
> > > > > > >   "The irony of this man being imprisoned in the United States
and
> > longing
> > > > > > > to return to once-Communist Russia so he can regain his right
to
> > free
> > > > > > > speech is simply staggering." - someone else
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > tclug-list mailing list
> > > > > > > tclug-list at mn-linux.org
> > > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > tclug-list mailing list
> > > > > > tclug-list at mn-linux.org
> > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > >
> > > >
> > > > --
> > > > Imagination is intelligence having fun...
> > > > e-mail:  kethry at winternet.com
> > > > URL:  http://WWW.winternet.com/~kethry/index.html
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
>
> --
> ________________________________________________________
> ReadyNET Go!, Inc.  -  Building your Business on the net
> ________________________________________________________
>
> Mark J. Kroska
> MIS Director
>
> 320.656.0765 Voice
> 888.447.3239 Toll Free
> 320.203.7052 Fax
> http://www.readynetgo.com
> mailto:mkroska at readynetgo.com
> ________________________________________________________
>
>
>
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>