[TCLUG] hotmail servers scanning...

Fri Aug 24 10:08:24 CDT 2001

Urk, I mis-spoke again. You'd think I never typed or
something. 64.4.0.0 - 64.4.63.255. Also, in looking a little closer
all the packets come with the flags '-AFP'. Being a sensible type I
only allow the S flag for connections that don't already have a state.

I've asked my firewall to save the body of these scans so I'll share
them when hotmail starts scanning again. ;-)

Joshua Jore
Minneapolis Ward 3, precinct 10
  "The irony of this man being imprisoned in the United States and longing
to return to once-Communist Russia so he can regain his right to free
speech is simply staggering." - someone else

On Fri, 24 Aug 2001, Joshua b. Jore wrote:

> Oh sorry, I mis-spoke. It's 64.4.0.0 - 64.4.53.255
>
> Joshua Jore
> Minneapolis Ward 3, precinct 10
>   "The irony of this man being imprisoned in the United States and longing
> to return to once-Communist Russia so he can regain his right to free
> speech is simply staggering." - someone else
>
> On Fri, 24 Aug 2001, Thomas T. Veldhouse wrote:
>
> > This block is not all Hotmail.  At least some of these (i.e. 64.1.x.x is XO)
> > communications.
> >
> > Tom Veldhouse
> > veldy at veldy.net
> >
> > ----- Original Message -----
> > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > To: <tclug-list at mn-linux.org>
> > Sent: Thursday, August 23, 2001 10:12 AM
> > Subject: Re: [TCLUG] hotmail servers scanning...
> >
> >
> > > Hmm... I wouldn't think Hotmail would portscan unrelated IPs to find SMTP
> > > relays on wierd ports. Or did Hotmail turn into an ISP when I wasn't
> > watching?
> > > It's just wierdly coordinated - all these different IPs within the same
> > ARIN
> > > block 64.0.0 - 64.4.63.255 looking at random ports. Dshield hasn't
> > recognized
> > > any IPs I've fed it so I'm not sure what to make of it. I might just phone
> > > the contact for the ARIN block at Hotmail and see if he knows what's going
> > on.
> > >
> > > Joshua Jore
> > > Minneapolis Ward 3, precinct 10
> > >   "The irony of this man being imprisoned in the United States and longing
> > > to return to once-Communist Russia so he can regain his right to free
> > > speech is simply staggering." - someone else
> > >
> > > On Thu, 23 Aug 2001, Liz Burke-Scovill wrote:
> > >
> > > >
> > > > Hey, Josh -
> > > >
> > > > I don't know if this means anything, but while I was working on locking
> > > > down SMTP over here, we were alerted to the problem because earthlink
> > was
> > > > doing scans to make sure we didn't have any open SMTP relays - not
> > always
> > > > on the standard port...perhaps hotmail's doing the same thing OR someone
> > > > going through hotmail is trying to find an opening to spam from?
> > > >
> > > > Liz
> > > >
> > > > On Thu, 23 Aug 2001, Joshua b. Jore wrote:
> > > >
> > > > > Nope, the box getting the connections is MS-free. The only reason
> > hotmail shoudl be talking to my box is to deliver mail or do DNS in the
> > service of mail. In that case I should see connections *to* ports 25 and 53,
> > not *from* 25. It's an idea tho. I just don't use MSN Messenger.
> > > > >
> > > > > Joshua Jore
> > > > > Minneapolis Ward 3, precinct 10
> > > > >   "The irony of this man being imprisoned in the United States and
> > longing
> > > > > to return to once-Communist Russia so he can regain his right to free
> > > > > speech is simply staggering." - someone else
> > > > >
> > > > > On Thu, 23 Aug 2001, doug wrote:
> > > > >
> > > > > > Are you logged on to msn messenger or logged into the hotmail
> > service on any
> > > > > > machine? I'm not sure if messenger uses port 25 for anything or not
> > (believe
> > > > > > it does), but I know it does use non-standard ports as well. I'd
> > find it
> > > > > > hard to believe it's trojaned and snooping you but then again it's
> > M$ so who
> > > > > > really knows what's going on there ;-)
> > > > > > ----- Original Message -----
> > > > > > From: "Joshua b. Jore" <josh at greentechnologist.org>
> > > > > > To: <tclug-list at mn-linux.org>
> > > > > > Sent: Wednesday, August 22, 2001 8:03 PM
> > > > > > Subject: [TCLUG] hotmail servers scanning...
> > > > > >
> > > > > >
> > > > > > > Just a general issue, I've noticed a few IPs from the hotmail.com
> > IP range
> > > > > > > doing some curious scanning. The same IP will try several times to
> > connect
> > > > > > to
> > > > > > > a specific high port and it's always sourced from the smtp port.
> > > > > > >
> > > > > > > I'm including a grep from my firewall log where it shows the
> > hotmail IP,
> > > > > > the
> > > > > > > source port, the destination port (where I blocked the access) and
> > how
> > > > > > many
> > > > > > > times the hotmail IP tried. So what's going on? Is hotmail
> > trojaned or
> > > > > > > something? Am I just missing something important here?
> > > > > > >
> > > > > > > 64.4.55.73 25 8546 6
> > > > > > > 64.4.55.171 25 10273 6
> > > > > > > 64.4.42.33 25 18839 11
> > > > > > > 64.4.49.144 25 44093 11
> > > > > > > 64.4.56.229 25 42600 7
> > > > > > > 64.4.56.203 25 11097 6
> > > > > > > 64.4.56.176 25 21336 5
> > > > > > > 64.4.55.20 25 40832 10
> > > > > > > 64.4.55.155 25 47103 11
> > > > > > > 64.4.42.30 25 29489 11
> > > > > > > 64.4.50.13 25 48844 11
> > > > > > > 64.4.56.226 25 23369 6
> > > > > > >
> > > > > > > Joshua Jore
> > > > > > > Minneapolis Ward 3, precinct 10
> > > > > > >   "The irony of this man being imprisoned in the United States and
> > longing
> > > > > > > to return to once-Communist Russia so he can regain his right to
> > free
> > > > > > > speech is simply staggering." - someone else
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > tclug-list mailing list
> > > > > > > tclug-list at mn-linux.org
> > > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > tclug-list mailing list
> > > > > > tclug-list at mn-linux.org
> > > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > tclug-list mailing list
> > > > > tclug-list at mn-linux.org
> > > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > > >
> > > >
> > > > --
> > > > Imagination is intelligence having fun...
> > > > e-mail:  kethry at winternet.com
> > > > URL:  http://WWW.winternet.com/~kethry/index.html
> > > >
> > > > _______________________________________________
> > > > tclug-list mailing list
> > > > tclug-list at mn-linux.org
> > > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > > >
> > >
> > > _______________________________________________
> > > tclug-list mailing list
> > > tclug-list at mn-linux.org
> > > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> > >
> >
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at mn-linux.org
> > https://mailman.mn-linux.org/mailman/listinfo/tclug-list
> >
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>