cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
plawrence5
Contributor
Message 1 of 44
‎06-16-2013 08:14 AM

Risky connection resolves to Microsoft/Ottawa?

I have recently received several "Risky Connection Blocked" messages for IP address 131.253.61.64. SiteAdvisor shows it in the red, but a "whois" resolves to a Microsoft address in Ottawa. How do I find out why my machine is attempting to connect to this IP address and what it is? (I am in Arizona, so it doesn't make sense unless Microsoft is hosting one of the Windows 8 apps or services in Ottawa or something...)

Thanks!

Reply
43 Replies
Hayton
Honored Contributor III
Message 2 of 44
‎06-16-2013 10:15 AM

Re: Risky connection resolves to Microsoft/Ottawa?

Interesting. The WhoIs information for that IP address indicates that it is one of a whole range of addresses allocated to Microsoft (131.253.61.0 - 131.253.255.255). The registration information appears to be correct. The ISP for that address is Northern Telecom, of Ottawa (so not one of your hole-in-the-wall ISPs).

That said, the address is reported here as a phishing site. If the address has been reported incorrectly Microsoft aren't going to be pleased. If the report is correct, and someone is impersonating Microsoft and running a convincing fake Microsoft website on that server, Microsoft are going to be madder 'n hell.

All we have at the moment is an IP address, no website URL. I don't suppose you got that far? If not, I suppose I'll have to walk into the lion's den to find out if it's got a lion in it

Message was edited by: Hayton on 16/06/13 19:04:51 IST
Reply
dsusa
Former Member
Message 3 of 44
‎06-16-2013 10:25 AM

Re: Risky connection resolves to Microsoft/Ottawa?

I am in NJ, USA, got   "Risky Connection Blocked" message for  131.253.61.64 and 131.253.61.70    so far.

I have blocked  "Microsoft Windows Live ID Service" programm on my machine for a while as a precaution.

Reply
Hayton
Honored Contributor III
Message 4 of 44
‎06-16-2013 11:00 AM

Re: Risky connection resolves to Microsoft/Ottawa?

Best thing to do for now, I think.  I've just come off a highly unsatisfactory Live Chat session with someone via the Microsoft Support site - probably in a distant call-centre in Mumbai. All I got out of that was, "Call your local Microsoft office in the morning". Yeah, right. On one of the high-cost dial codes.

I'll send an email. I've got a screenshot of the landing page, complete with glowing Red SiteAdvisor symbol AND a Red warning from WOT.

Oddly, the connection to the server is made via http: (and hence insecure).  At the bottom of the landing page is an option to use SSL, so I selected it. The page reloaded with an SSL (secure) connection, and a Green SiteAdvisor symbol. My guess is that I was automatically redirected to a local (UK) Microsoft server. The digital certificate for that webpage showed it to be a genuine Microsoft page.

Still doesn't mean that the Ottawa server isn't hosting a fake or compromised webpage.

Oh, all right, here's what it looked like. It certainly looks like the real thing. Very convincing.

Fake Microsoft phishing site.jpg

Message was edited by: Hayton : add note about WOT warning - on 16/06/13 19:42:51 IST
0 Kudos
Reply
Hayton
Honored Contributor III
Message 5 of 44
‎06-16-2013 12:08 PM

Re: Risky connection resolves to Microsoft/Ottawa?

SiteAdvisor is getting the Red rating from TrustedSource. WOT is setting its Red rating based on a report from PhishTank, so I bet TrustedSource is doing the same. And PhishTank? They got their information from Clean-MX.

Oh, dear .... I think Microsoft may get very annoyed with Clean-MX. This looks like a false positive. Clean-MX seems to have a very high ratio of those, judging by a couple of write-ups I came across (okay, that's a very small sample. I'm still looking.)

http://www.boredomsoft.org/clean-mx.bs

http://www.bluetack.co.uk/forums/index.php?showtopic=20173

I'll let Microsoft sort this one out, I think.

Edit (later) :

Actually, no. It's wrong to blame Clean-MX here. They had a report about this IP address - just one, it's never appeared on thier list before or since. That was on the 8th of June, and it lasted exactly 42 minutes before it was countermanded. The case is Closed, according to their report.

http://support.clean-mx.de/clean-mx/phishing.php?id=3365484

So the blame shifts to PhishTank (and perhaps others) for not reacting to the change of status from Red to Green on Clean-MX. Oh, I do hope someone from Microsoft gets to read this. Site and IP address false positives should be corrected as early as possible, as far up the chain as possible, and the correction should be propagated to all the programs that picked up the original warning. Sadly, that does not appear to happen, at least not efficiently.

Message was edited by: Hayton on 16/06/13 20:20:58 IST
0 Kudos
Reply
plawrence5
Contributor
Message 6 of 44
‎06-16-2013 12:33 PM

Re: Risky connection resolves to Microsoft/Ottawa?

Thanks for chasing after this one! I submitted to Microsoft's board as well and was told to ask McAfee... typical of them. They didn't even bother to tell me whether they agree it's theirs or what it might be used for. I also got blocked for the .70 address mentioned by dsusa above, on a different computer. I suppose I can block the Live ID service and see what that affects. Never sure with all the hooks Win8 and Office-from-the-cloud have back to Microsoft to make things run!

0 Kudos
Reply
Hayton
Honored Contributor III
Message 7 of 44
‎06-16-2013 03:27 PM

Re: Risky connection resolves to Microsoft/Ottawa?

This gets murkier the deeper I dig into it.

According to various domain tools, the original IP address used to host "mail.ttscvn.com". Details for that site have now been removed, but it shared the server with these sites -

entrar.animalog.com.br
login.live.com
login.live.com.nsatc.net
mail.ftplasia.com
mail.ttscvn.com
studentemail.enmu.edu
studentmail.ed-coll.ac.uk

Does that look like a Microsoft server to you? No, me neither. Except it probably is. Here's the source of that info -

http://webcache.googleusercontent.com/search?q=cache:kp5NvvFw31wJ:host.robtex.com/mail.ttscvn.com.ht...

http://ip.robtex.com/131.253.61.64.html

Things may have changed slightly. The latest information from http://www.ip-adress.com/reverse_ip/131.253.61.64 shows these domains on the server -

131.253.61.64 Reverse IP Lookup Results.png

Those do look like Microsoft domains, and the ones I checked have a valid Microsoft digital certificate and a secure https: connection.

The internet organisational graph shows mail.ttscvn.com resolves to AS8075, which is Microsoft (http://as.robtex.com/as8075.html)

It begins to look as if the IP address, the server and the domains all belong to or are connected with Microsoft ...

.. and then everything goes murky again, and the doubt re-appears. One of the host names sharing this suspect IP address is "login.live.com.nsatc.net". For this, see the following -

http://pop.dnstree.com/com/live/login/

http://dnstree.com/com/hotmailbcn/

All well and good, except that http://www.ip-adress.com/whois/hotmailbcn.com shows this is another login page hosted on a server (131.253.61.82) in Ottawa; and if you try to go to "hotmailbcn.com" in Google Chrome you will encounter this page -

Another Microsoft phishing site.png

At which point I gave up.  The servers are, or are not, Microsoft servers. They do, or do not, host phishing sites. They should, or should not, be blocked. It's all as clear as mud.

Message was edited by: Hayton on 16/06/13 23:44:36 IST
Reply
exbrit
MVP
Message 8 of 44
‎06-16-2013 06:39 PM

Re: Risky connection resolves to Microsoft/Ottawa?

I just got 3 warnings in as many seconds each with a different IP but all Ottawa.

Here's the URL given for one McAfee report page.

Not too concerned except the thought that it may be genuine and I should have somehow allowed it although never given that chance.

Not listed in Security History by the way.

Message was edited by: Ex_Brit on 16/06/13 9:44:00 EDT PM
Reply
plawrence5
Contributor
Message 9 of 44
‎06-16-2013 09:13 PM

Re: Risky connection resolves to Microsoft/Ottawa?

Yes I got that IP address on my laptop and just like you I did not find it in my security history. strange.

0 Kudos
Reply
Bilbo_1405
Former Member
Message 10 of 44
‎06-17-2013 03:27 AM

Re: Risky connection resolves to Microsoft/Ottawa?

Hi, I'm also reeporting that my laptop received this same issue. Windows@ Live Update risky.
Two times so far. Not coming up  in the McAfee history of incoming blocked.
Also not happening as far as I know on my desktop.

McAfee popup directed me to this :
http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=131.253.61.64

0 Kudos
Reply
How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community

* Important Terms and Offer Details:

  Subscription, Free Trial, Pricing and Automatic Renewal Terms:

  • The amount you are charged upon purchase is the price of the first term of your subscription. The length of your first term depends on your purchase selection (e.g. 1 month or 1 year).  Once your first term is expired, your subscription will be automatically renewed on an annual basis (with the exception of monthly subscriptions, which will renew monthly) and you will be charged the renewal subscription price in effect at the time of your renewal, until you cancel (Vermont residents must opt-in to auto-renewal.)
  • Unless otherwise stated, if a savings amount is shown, it describes the difference between the introductory first term price (available only to customers without an existing McAfee subscription) and the renewal subscription price (e.g., first term price vs. each year thereafter).
  • Pricing is subject to change. If the renewal price changes, we will notify you in advance so you always know what’s going on.
  • You can cancel your subscription or change your auto-renewal settings any time after purchase from your My Account page. To learn more, click here.
  • You may request a refund by contacting Customer Support within 30 days of initial purchase or within 60 days of automatic renewal (for 1 year terms or longer).
  • Your subscription is subject to our License Agreement and Privacy Notice. Subscriptions covering "all" devices are limited to supported devices that you own. Product features may be added, changed or removed during the subscription term.  Not all features may be available on all devices.  See System Requirements for additional information.
  • Free Trial Terms: At the end of your trial period you will be charged $39.99 for the first term. After the first term, you will be automatically renewed at the renewal price (currently $124.99/yr). We will charge you 7-days before renewal. You can cancel at any time before you are charged. ​

 **Free Benefits With Auto-Renewal:

  • For many qualifying product subscriptions McAfee offers additional benefits for free when you are enrolled in auto-renewal. You can check your eligibility for these benefits in your My Account page. Not all benefits are offered in all locations or for all product subscriptions.  System Requirements apply.   Turning off auto-renewal terminates your eligibility for these additional benefits. 
  • Virus Protection Pledge (VPP): If we cannot remove a virus from your supported device we’ll refund you the amount you paid for your current term subscription.  The refund does not apply to any damage or loss caused by a virus.  You are responsible for backing up your data to prevent data loss. See terms here: mcafee.com/pledge.
  • Safe Connect VPN:  You will receive free, unlimited access to our VPN wireless on supported devices. Users not on auto-renewal have access to 500 MB/month of bandwidth.

   Additional Terms Specific to Identity Monitoring Service:

  • Eligibility: McAfee® Identity Monitoring Service Essentials is available within active McAfee Total Protection and McAfee LiveSafe subscriptions with identity monitoring for up to 10 unique emails. Phone number monitoring is enabled upon activation of Automatic Renewal. Not all identity monitoring elements are available in all countries. See Product Terms of Service for more information. 
  • Your subscription is subject to our License Agreement and Privacy Notice. Product features may be added, changed or removed during the subscription term. Some features may require registration and a valid ID number to activate. See System Requirements for additional information.
  • While McAfee Identity Monitoring Service provides you tools and resources to protect yourself from identity theft, no identity can be completely secure.
  • US Only:
    Fair Credit Reporting Act: You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute, but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.
  • Identity theft coverage is not available in New York due to regulatory requirements.


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Products

McAfee® Total Protection
McAfee® Gamer Security
McAfee® Identity Monitoring Service
McAfee® Security Scan Plus
McAfee® WebAdvisor
McAfee® Techmaster Concierge
McAfee® Virus Removal Service

Resources

Antivirus
Free Downloads
Parental Controls
Malware
Firewall
 Blogs
Activate Retail Card
Threat Center
McAfee Enterprise

Support

Consumer Support
FAQs
Renewals
Support Community

About

About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap

Copyright © 2022 McAfee, LLC
Copyright © 2022 McAfee, LLC