The guy below said this: > ARIN > > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't 64.1.x.x is in this range. It is owned by XO. Tom Veldhouse veldy at veldy.net ----- Original Message ----- From: "Mark K" <mkroska at readynetgo.com> To: <tclug-list at mn-linux.org> Sent: Friday, August 24, 2001 10:00 AM Subject: Re: [TCLUG] hotmail servers scanning... > Yes, but the 64.4.x.x is owned by Hotmail... > MS Hotmail (NETBLK-HOTMAIL) > 1065 La Avenida > Mountain View, CA 94043 > US > > Netname: HOTMAIL > Netblock: 64.4.0.0 - 64.4.63.255 > > Coordinator: > Myers, Michael (MM520-ARIN) icon at HOTMAIL.COM > 650-693-7072 > > Domain System inverse mapping provided by: > > NS1.HOTMAIL.COM 216.200.206.140 > NS3.HOTMAIL.COM 209.185.130.68 > > Record last updated on 09-Jan-2001. > Database last updated on 23-Aug-2001 23:14:12 EDT. > > > <from that nifty ARIN tool...http://www.arin.net/whois/index.html> > > MK > > > On Fri, 24 Aug 2001, Thomas T. Veldhouse wrote: > > > This block is not all Hotmail. At least some of these (i.e. 64.1.x.x is XO) > > communications. > > > > Tom Veldhouse > > veldy at veldy.net > > > > ----- Original Message ----- > > From: "Joshua b. Jore" <josh at greentechnologist.org> > > To: <tclug-list at mn-linux.org> > > Sent: Thursday, August 23, 2001 10:12 AM > > Subject: Re: [TCLUG] hotmail servers scanning... > > > > > > > Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find SMTP > > > relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't > > watching? > > > It's just wierdly coordinated - all these different IPs within the same > > ARIN > > > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't > > recognized > > > any IPs I've fed it so I'm not sure what to make of it. I might just phone > > > the contact for the ARIN block at Hotmail and see if he knows what's going > > on. > > > > > > Joshua Jore > > > Minneapolis Ward 3, precinct 10 > > > "The irony of this man being imprisoned in the United States and longing > > > to return to once-Communist Russia so he can regain his right to free > > > speech is simply staggering." - someone else > > > > > > On Thu, 23 Aug 2001, Liz Burke-Scovill wrote: > > > > > > > > > > > Hey, Josh - > > > > > > > > I don't know if this means anything, but while I was working on locking > > > > down SMTP over here, we were alerted to the problem because earthlink > > was > > > > doing scans to make sure we didn't have any open SMTP relays - not > > always > > > > on the standard port...perhaps hotmail's doing the same thing OR someone > > > > going through hotmail is trying to find an opening to spam from? > > > > > > > > Liz > > > > > > > > On Thu, 23 Aug 2001, Joshua b. Jore wrote: > > > > > > > > > Nope, the box getting the connections is MS-free. The only reason > > hotmail shoudl be talking to my box is to deliver mail or do DNS in the > > service of mail. In that case I should see connections *to* ports 25 and 53, > > not *from* 25. It's an idea tho. I just don't use MSN Messenger. > > > > > > > > > > Joshua Jore > > > > > Minneapolis Ward 3, precinct 10 > > > > > "The irony of this man being imprisoned in the United States and > > longing > > > > > to return to once-Communist Russia so he can regain his right to free > > > > > speech is simply staggering." - someone else > > > > > > > > > > On Thu, 23 Aug 2001, doug wrote: > > > > > > > > > > > Are you logged on to msn messenger or logged into the hotmail > > service on any > > > > > > machine? I'm not sure if messenger uses port 25 for anything or not > > (believe > > > > > > it does), but I know it does use non-standard ports as well. I'd > > find it > > > > > > hard to believe it's trojaned and snooping you but then again it's > > M$ so who > > > > > > really knows what's going on there ;-) > > > > > > ----- Original Message ----- > > > > > > From: "Joshua b. Jore" <josh at greentechnologist.org> > > > > > > To: <tclug-list at mn-linux.org> > > > > > > Sent: Wednesday, August 22, 2001 8:03 PM > > > > > > Subject: [TCLUG] hotmail servers scanning... > > > > > > > > > > > > > > > > > > > Just a general issue, I've noticed a few IPs from the hotmail.com > > IP range > > > > > > > doing some curious scanning. The same IP will try several times to > > connect > > > > > > to > > > > > > > a specific high port and it's always sourced from the smtp port. > > > > > > > > > > > > > > I'm including a grep from my firewall log where it shows the > > hotmail IP, > > > > > > the > > > > > > > source port, the destination port (where I blocked the access) and > > how > > > > > > many > > > > > > > times the hotmail IP tried. So what's going on? Is hotmail > > trojaned or > > > > > > > something? Am I just missing something important here? > > > > > > > > > > > > > > 64.4.55.73 25 8546 6 > > > > > > > 64.4.55.171 25 10273 6 > > > > > > > 64.4.42.33 25 18839 11 > > > > > > > 64.4.49.144 25 44093 11 > > > > > > > 64.4.56.229 25 42600 7 > > > > > > > 64.4.56.203 25 11097 6 > > > > > > > 64.4.56.176 25 21336 5 > > > > > > > 64.4.55.20 25 40832 10 > > > > > > > 64.4.55.155 25 47103 11 > > > > > > > 64.4.42.30 25 29489 11 > > > > > > > 64.4.50.13 25 48844 11 > > > > > > > 64.4.56.226 25 23369 6 > > > > > > > > > > > > > > Joshua Jore > > > > > > > Minneapolis Ward 3, precinct 10 > > > > > > > "The irony of this man being imprisoned in the United States and > > longing > > > > > > > to return to once-Communist Russia so he can regain his right to > > free > > > > > > > speech is simply staggering." - someone else > > > > > > > > > > > > > > _______________________________________________ > > > > > > > tclug-list mailing list > > > > > > > tclug-list at mn-linux.org > > > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > tclug-list mailing list > > > > > > tclug-list at mn-linux.org > > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > > > > > > > > > > > > > _______________________________________________ > > > > > tclug-list mailing list > > > > > tclug-list at mn-linux.org > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > > > > > > > > > > -- > > > > Imagination is intelligence having fun... > > > > e-mail: kethry at winternet.com > > > > URL: http://WWW.winternet.com/~kethry/index.html > > > > > > > > _______________________________________________ > > > > tclug-list mailing list > > > > tclug-list at mn-linux.org > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > > > > > > > _______________________________________________ > > > tclug-list mailing list > > > tclug-list at mn-linux.org > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > > > > _______________________________________________ > > tclug-list mailing list > > tclug-list at mn-linux.org > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > -- > ________________________________________________________ > ReadyNET Go!, Inc. - Building your Business on the net > ________________________________________________________ > > Mark J. Kroska > MIS Director > > 320.656.0765 Voice > 888.447.3239 Toll Free > 320.203.7052 Fax > http://www.readynetgo.com > mailto:mkroska at readynetgo.com > ________________________________________________________ > > > > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list >