cancel
Showing results for 
Search instead for 
Did you mean: 
plawrence5
Level 7

Risky connection resolves to Microsoft/Ottawa?

I have recently received several "Risky Connection Blocked" messages for IP address 131.253.61.64. SiteAdvisor shows it in the red, but a "whois" resolves to a Microsoft address in Ottawa. How do I find out why my machine is attempting to connect to this IP address and what it is? (I am in Arizona, so it doesn't make sense unless Microsoft is hosting one of the Windows 8 apps or services in Ottawa or something...)

Thanks!

43 Replies
Hayton
Level 18

Re: Risky connection resolves to Microsoft/Ottawa?

Interesting. The WhoIs information for that IP address indicates that it is one of a whole range of addresses allocated to Microsoft (131.253.61.0 - 131.253.255.255). The registration information appears to be correct. The ISP for that address is Northern Telecom, of Ottawa (so not one of your hole-in-the-wall ISPs).

That said, the address is reported here as a phishing site. If the address has been reported incorrectly Microsoft aren't going to be pleased. If the report is correct, and someone is impersonating Microsoft and running a convincing fake Microsoft website on that server, Microsoft are going to be madder 'n hell.

All we have at the moment is an IP address, no website URL. I don't suppose you got that far? If not, I suppose I'll have to walk into the lion's den to find out if it's got a lion in it

Message was edited by: Hayton on 16/06/13 19:04:51 IST
dsusa
Level 7

Re: Risky connection resolves to Microsoft/Ottawa?

I am in NJ, USA, got   "Risky Connection Blocked" message for  131.253.61.64 and 131.253.61.70    so far.

I have blocked  "Microsoft Windows Live ID Service" programm on my machine for a while as a precaution.

Hayton
Level 18

Re: Risky connection resolves to Microsoft/Ottawa?

Best thing to do for now, I think.  I've just come off a highly unsatisfactory Live Chat session with someone via the Microsoft Support site - probably in a distant call-centre in Mumbai. All I got out of that was, "Call your local Microsoft office in the morning". Yeah, right. On one of the high-cost dial codes.

I'll send an email. I've got a screenshot of the landing page, complete with glowing Red SiteAdvisor symbol AND a Red warning from WOT.

Oddly, the connection to the server is made via http: (and hence insecure).  At the bottom of the landing page is an option to use SSL, so I selected it. The page reloaded with an SSL (secure) connection, and a Green SiteAdvisor symbol. My guess is that I was automatically redirected to a local (UK) Microsoft server. The digital certificate for that webpage showed it to be a genuine Microsoft page.

Still doesn't mean that the Ottawa server isn't hosting a fake or compromised webpage.

Oh, all right, here's what it looked like. It certainly looks like the real thing. Very convincing.

Fake Microsoft phishing site.jpg

Message was edited by: Hayton : add note about WOT warning - on 16/06/13 19:42:51 IST
0 Kudos
Hayton
Level 18

Re: Risky connection resolves to Microsoft/Ottawa?

SiteAdvisor is getting the Red rating from TrustedSource. WOT is setting its Red rating based on a report from PhishTank, so I bet TrustedSource is doing the same. And PhishTank? They got their information from Clean-MX.

Oh, dear .... I think Microsoft may get very annoyed with Clean-MX. This looks like a false positive. Clean-MX seems to have a very high ratio of those, judging by a couple of write-ups I came across (okay, that's a very small sample. I'm still looking.)

http://www.boredomsoft.org/clean-mx.bs

http://www.bluetack.co.uk/forums/index.php?showtopic=20173

I'll let Microsoft sort this one out, I think.

Edit (later) :

Actually, no. It's wrong to blame Clean-MX here. They had a report about this IP address - just one, it's never appeared on thier list before or since. That was on the 8th of June, and it lasted exactly 42 minutes before it was countermanded. The case is Closed, according to their report.

http://support.clean-mx.de/clean-mx/phishing.php?id=3365484

So the blame shifts to PhishTank (and perhaps others) for not reacting to the change of status from Red to Green on Clean-MX. Oh, I do hope someone from Microsoft gets to read this. Site and IP address false positives should be corrected as early as possible, as far up the chain as possible, and the correction should be propagated to all the programs that picked up the original warning. Sadly, that does not appear to happen, at least not efficiently.

Message was edited by: Hayton on 16/06/13 20:20:58 IST
0 Kudos
plawrence5
Level 7

Re: Risky connection resolves to Microsoft/Ottawa?

Thanks for chasing after this one! I submitted to Microsoft's board as well and was told to ask McAfee... typical of them. They didn't even bother to tell me whether they agree it's theirs or what it might be used for. I also got blocked for the .70 address mentioned by dsusa above, on a different computer. I suppose I can block the Live ID service and see what that affects. Never sure with all the hooks Win8 and Office-from-the-cloud have back to Microsoft to make things run!

0 Kudos
Hayton
Level 18

Re: Risky connection resolves to Microsoft/Ottawa?

This gets murkier the deeper I dig into it.

According to various domain tools, the original IP address used to host "mail.ttscvn.com". Details for that site have now been removed, but it shared the server with these sites -

entrar.animalog.com.br

login.live.com

login.live.com.nsatc.net

mail.ftplasia.com

mail.ttscvn.com

studentemail.enmu.edu

studentmail.ed-coll.ac.uk

Does that look like a Microsoft server to you? No, me neither. Except it probably is. Here's the source of that info -

http://webcache.googleusercontent.com/search?q=cache:kp5NvvFw31wJ:host.robtex.com/mail.ttscvn.com.ht...

http://ip.robtex.com/131.253.61.64.html

Things may have changed slightly. The latest information from http://www.ip-adress.com/reverse_ip/131.253.61.64 shows these domains on the server -

131.253.61.64 Reverse IP Lookup Results.png

Those do look like Microsoft domains, and the ones I checked have a valid Microsoft digital certificate and a secure https: connection.

The internet organisational graph shows mail.ttscvn.com resolves to AS8075, which is Microsoft (http://as.robtex.com/as8075.html)

It begins to look as if the IP address, the server and the domains all belong to or are connected with Microsoft ...

.. and then everything goes murky again, and the doubt re-appears. One of the host names sharing this suspect IP address is "login.live.com.nsatc.net". For this, see the following -

http://pop.dnstree.com/com/live/login/

http://dnstree.com/com/hotmailbcn/

All well and good, except that http://www.ip-adress.com/whois/hotmailbcn.com shows this is another login page hosted on a server (131.253.61.82) in Ottawa; and if you try to go to "hotmailbcn.com" in Google Chrome you will encounter this page -

Another Microsoft phishing site.png

At which point I gave up.  The servers are, or are not, Microsoft servers. They do, or do not, host phishing sites. They should, or should not, be blocked. It's all as clear as mud.

Message was edited by: Hayton on 16/06/13 23:44:36 IST
exbrit
Level 21

Re: Risky connection resolves to Microsoft/Ottawa?

I just got 3 warnings in as many seconds each with a different IP but all Ottawa.

Here's the URL given for one McAfee report page.

Not too concerned except the thought that it may be genuine and I should have somehow allowed it although never given that chance.

Not listed in Security History by the way.

Message was edited by: Ex_Brit on 16/06/13 9:44:00 EDT PM
plawrence5
Level 7

Re: Risky connection resolves to Microsoft/Ottawa?

Yes I got that IP address on my laptop and just like you I did not find it in my security history. strange.

0 Kudos
Bilbo_1405
Level 7

Re: Risky connection resolves to Microsoft/Ottawa?

Hi, I'm also reeporting that my laptop received this same issue. Windows@ Live Update risky.
Two times so far. Not coming up  in the McAfee history of incoming blocked.
Also not happening as far as I know on my desktop.

McAfee popup directed me to this :
http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=131.253.61.64

0 Kudos