[Dshield] Help decoding Hotmail URLs

Andy Hopkins (healthAlliance) Andy.Hopkins at healthalliance.co.nz
Mon Jan 8 02:58:56 GMT 2007

Does anyone have any experience in decoding the Hotmail URLs as logged
by an M$ ISA server?

We have an e-mail sent from a Hotmail account, from internal to our
network, to a user on our network. I can see from proxy logs who was
accessing hotmail at the time, but need to break it down a bit further
before jumping on folks PC's.

Also, any happen to know if an entire Hotmail session is server by one
server or not? E.g. the first "Received" header is

Received: from 210.aa.b.ccc by by21fd.bay21.hotmail.msn.com with HTTP;

      Sun, 07 Jan 2007 22:09:56 GMT

Would it be fair to say that the entire session would have been against
by21fd.bay21.hotmail.msn.com ?


Andy Hopkins
UNIX & IT Security Team Leader
Extn: 7507
DDL: (+64) (9) 487 1507
Mobile: (+64) (21) 285 2139

The views and information expressed in this e-Mail are actually mine,
because my wife says so!
Although, healthAlliance doesn't necessarily agree with me

This e-mail message and any accompanying attachments may contain information that is confidential and subject to legal privilege.  If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments.  If you have received this message in error, please notify the sender immediately and delete this message.

More information about the list mailing list