-google-ads-
2013
01.10

13 IPs from MSN (MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp) was abused for forum-spam-/ssh-/voip-Attacks

Kategorie: Allgemein / Tag:  / Kommentieren

In the last Days we see 13 IPs from the Network MICROSOFT-CORP—MSN-AS-BLOCK – Microsoft Corp // ASN8075 from a lot of Forum-Spam-/SSH-/Voip-/SIP-Attacks.

We send the default X-ARF-Abuse-Complaint, but only the Server which makes SSH-/Sip-Attacks was stoped or not longer reported to us.

So, we send a normal Mail to noc@microsoft.com, abuse@microsoft… abuse@msn…. but received only the acknowledgement-Mail and a bounce-Mail from noc@ that the account does not exist, but is aviable in the Whois-Data.

On the Server there are the rdp-Port open:

nmap-ms

 

We thinking there are Developement-Systems there was hacked or false configured, that he have a (Reverse)Proxy which allows to get URLs from other URLs and not only from the same system.

Some IPs was heavy, like this IP 157.56.166.51 he has send over 760400 Spam-Comments/Posts or automatically Registrations in Honeypot-Systems. The most IPs was stopped or was never reported to us after yesterday, but one IP is still alive.

We wait for a Answer from microsoft so far 😐

[UPDATE 22.07.2013 11:00:00]
We received an Anser from Microsoft:
 


Hello,

Thank you for bringing this to our attention, please file a response to
http://cert.microsoft.com. Then our security teams will start that
investigation, also you can use that in the future to report suspicious
Microsoft IPs.

Thank you,

Rechie
Online Safety Team

We have try to send a Report, but get only the following error-message:
An internal error has occured, please try again. Object reference not set to an instance of an object.
With an fake Referer, the Form works.
But dear Microsoft, please use a X-ARF-Parser and generate a new Report with your own format from your Form.

-google-ads-
  1. Mainboarder sagt: 09.03.2013 11:17

    I wrote an article about this topic after contacting microsoft on serveral ways like abuse mail, noc mail, twitter and customer support.
    unfortunally there was no answer which would help. so I contacted the spokesman.
    I told me, his colleagues in redmond have switched of six IP-Adresses.

    Also he told me, reporting abuse situations has best effect if you report it to cert.microsoft.com

    Hopefully this helps.

  2. C W sagt: 21.10.2013 04:35

    I just finished blacklisting 13 IP addresses from the same Microsoft-MSN-AS block as they were racking up click spam on google ads. Over 8 thousand clicks over the course of this one day.

    I hope you don’t mind, but I referenced this post in my report to cert.microsoft.com to show that this is not something new, and they’re apparently choosing to simply ignore it.

Translate »