1 2 3 Previous Next 43 Replies Latest reply on May 13, 2015 7:29 PM by m_volto

    Risky connection resolves to Microsoft/Ottawa?

      I have recently received several "Risky Connection Blocked" messages for IP address 131.253.61.64. SiteAdvisor shows it in the red, but a "whois" resolves to a Microsoft address in Ottawa. How do I find out why my machine is attempting to connect to this IP address and what it is? (I am in Arizona, so it doesn't make sense unless Microsoft is hosting one of the Windows 8 apps or services in Ottawa or something...)

       

      Thanks!

        • 1. Re: Risky connection resolves to Microsoft/Ottawa?
          Hayton

          Interesting. The WhoIs information for that IP address indicates that it is one of a whole range of addresses allocated to Microsoft (131.253.61.0 - 131.253.255.255). The registration information appears to be correct. The ISP for that address is Northern Telecom, of Ottawa (so not one of your hole-in-the-wall ISPs).

           

          That said, the address is reported here as a phishing site. If the address has been reported incorrectly Microsoft aren't going to be pleased. If the report is correct, and someone is impersonating Microsoft and running a convincing fake Microsoft website on that server, Microsoft are going to be madder 'n hell.

           

          All we have at the moment is an IP address, no website URL. I don't suppose you got that far? If not, I suppose I'll have to walk into the lion's den to find out if it's got a lion in it

           

          Message was edited by: Hayton on 16/06/13 19:04:51 IST
          • 2. Re: Risky connection resolves to Microsoft/Ottawa?

            I am in NJ, USA, got   "Risky Connection Blocked" message for  131.253.61.64 and 131.253.61.70    so far.

            I have blocked  "Microsoft Windows Live ID Service" programm on my machine for a while as a precaution.

            • 3. Re: Risky connection resolves to Microsoft/Ottawa?
              Hayton

              Best thing to do for now, I think.  I've just come off a highly unsatisfactory Live Chat session with someone via the Microsoft Support site - probably in a distant call-centre in Mumbai. All I got out of that was, "Call your local Microsoft office in the morning". Yeah, right. On one of the high-cost dial codes.

               

              I'll send an email. I've got a screenshot of the landing page, complete with glowing Red SiteAdvisor symbol AND a Red warning from WOT.

               

              Oddly, the connection to the server is made via http: (and hence insecure).  At the bottom of the landing page is an option to use SSL, so I selected it. The page reloaded with an SSL (secure) connection, and a Green SiteAdvisor symbol. My guess is that I was automatically redirected to a local (UK) Microsoft server. The digital certificate for that webpage showed it to be a genuine Microsoft page.

               

              Still doesn't mean that the Ottawa server isn't hosting a fake or compromised webpage.

               

              Oh, all right, here's what it looked like. It certainly looks like the real thing. Very convincing.

               

              Fake Microsoft phishing site.jpg

               

              Message was edited by: Hayton : add note about WOT warning - on 16/06/13 19:42:51 IST
              • 4. Re: Risky connection resolves to Microsoft/Ottawa?
                Hayton

                SiteAdvisor is getting the Red rating from TrustedSource. WOT is setting its Red rating based on a report from PhishTank, so I bet TrustedSource is doing the same. And PhishTank? They got their information from Clean-MX.

                 

                Oh, dear .... I think Microsoft may get very annoyed with Clean-MX. This looks like a false positive. Clean-MX seems to have a very high ratio of those, judging by a couple of write-ups I came across (okay, that's a very small sample. I'm still looking.)

                http://www.boredomsoft.org/clean-mx.bs

                http://www.bluetack.co.uk/forums/index.php?showtopic=20173

                 

                I'll let Microsoft sort this one out, I think.

                 

                Edit (later) :

                Actually, no. It's wrong to blame Clean-MX here. They had a report about this IP address - just one, it's never appeared on thier list before or since. That was on the 8th of June, and it lasted exactly 42 minutes before it was countermanded. The case is Closed, according to their report.

                http://support.clean-mx.de/clean-mx/phishing.php?id=3365484

                 

                So the blame shifts to PhishTank (and perhaps others) for not reacting to the change of status from Red to Green on Clean-MX. Oh, I do hope someone from Microsoft gets to read this. Site and IP address false positives should be corrected as early as possible, as far up the chain as possible, and the correction should be propagated to all the programs that picked up the original warning. Sadly, that does not appear to happen, at least not efficiently.

                 

                Message was edited by: Hayton on 16/06/13 20:20:58 IST
                1 of 1 people found this helpful
                • 5. Re: Risky connection resolves to Microsoft/Ottawa?

                  Thanks for chasing after this one! I submitted to Microsoft's board as well and was told to ask McAfee... typical of them. They didn't even bother to tell me whether they agree it's theirs or what it might be used for. I also got blocked for the .70 address mentioned by dsusa above, on a different computer. I suppose I can block the Live ID service and see what that affects. Never sure with all the hooks Win8 and Office-from-the-cloud have back to Microsoft to make things run!

                  • 6. Re: Risky connection resolves to Microsoft/Ottawa?
                    Hayton

                    This gets murkier the deeper I dig into it.

                     

                    According to various domain tools, the original IP address used to host "mail.ttscvn.com". Details for that site have now been removed, but it shared the server with these sites -

                    entrar.animalog.com.br

                    login.live.com

                    login.live.com.nsatc.net

                    mail.ftplasia.com

                    mail.ttscvn.com

                    studentemail.enmu.edu

                    studentmail.ed-coll.ac.uk

                     

                    Does that look like a Microsoft server to you? No, me neither. Except it probably is. Here's the source of that info -

                     

                    http://webcache.googleusercontent.com/search?q=cache:kp5NvvFw31wJ:host.robtex.co m/mail.ttscvn.com.html+131.253.61.64+blacklist&cd=3&hl=en&ct=clnk&gl=uk

                    http://ip.robtex.com/131.253.61.64.html

                     

                    Things may have changed slightly. The latest information from http://www.ip-adress.com/reverse_ip/131.253.61.64 shows these domains on the server -

                    131.253.61.64 Reverse IP Lookup Results.png

                     

                     

                    Those do look like Microsoft domains, and the ones I checked have a valid Microsoft digital certificate and a secure https: connection.

                     

                    The internet organisational graph shows mail.ttscvn.com resolves to AS8075, which is Microsoft (http://as.robtex.com/as8075.html)

                     

                    It begins to look as if the IP address, the server and the domains all belong to or are connected with Microsoft ...

                     

                    .. and then everything goes murky again, and the doubt re-appears. One of the host names sharing this suspect IP address is "login.live.com.nsatc.net". For this, see the following -

                     

                    http://pop.dnstree.com/com/live/login/

                    http://dnstree.com/com/hotmailbcn/

                     

                    All well and good, except that http://www.ip-adress.com/whois/hotmailbcn.com shows this is another login page hosted on a server (131.253.61.82) in Ottawa; and if you try to go to "hotmailbcn.com" in Google Chrome you will encounter this page -

                     

                    Another Microsoft phishing site.png

                     

                    At which point I gave up.  The servers are, or are not, Microsoft servers. They do, or do not, host phishing sites. They should, or should not, be blocked. It's all as clear as mud.

                     

                    Message was edited by: Hayton on 16/06/13 23:44:36 IST
                    • 7. Re: Risky connection resolves to Microsoft/Ottawa?
                      exbrit

                      I just got 3 warnings in as many seconds each with a different IP but all Ottawa.

                       

                      Here's the URL given for one McAfee report page.

                       

                      Not too concerned except the thought that it may be genuine and I should have somehow allowed it although never given that chance.

                       

                      Not listed in Security History by the way.

                       

                       

                       

                      Message was edited by: Ex_Brit on 16/06/13 9:44:00 EDT PM
                      • 8. Re: Risky connection resolves to Microsoft/Ottawa?

                        Yes I got that IP address on my laptop and just like you I did not find it in my security history. strange.

                        • 9. Re: Risky connection resolves to Microsoft/Ottawa?
                          Bilbo_1405

                          Hi, I'm also reeporting that my laptop received this same issue. Windows@ Live Update risky.
                          Two times so far. Not coming up  in the McAfee history of incoming blocked.
                          Also not happening as far as I know on my desktop.

                           

                          McAfee popup directed me to this :
                          http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=131.253.61.64

                          1 2 3 Previous Next