[Dshield] Help decoding Hotmail URLs
pmelson at gmail.com
Tue Jan 9 18:59:01 GMT 2007
Subject: [Dshield] Help decoding Hotmail URLs
> Does anyone have any experience in decoding the Hotmail URLs as logged by
an M$ ISA server?
What do you mean by 'decoding' ?
In mail-sent POST's, the message is sent in plain text with some encoding of
punctuation and whitespace characters. User ID's are usually present in the
session cookies. I don't recall any uniquely identifiable data being in the
URL, however, so if that's all you have in the ISA logs, they may not be
> We have an e-mail sent from a Hotmail account, from internal to our
network, to a user on our network. I
> can see from proxy logs who was accessing hotmail at the time, but need to
break it down a bit further
> before jumping on folks PC's.
I wouldn't wait to collect data from PC's, especially if this is a situation
where HR and/or law enforcement need to be involved. I'd start taking
images of all of the possible client machines now before any more evidence
> Would it be fair to say that the entire session would have been against
You can almost be guaranteed that this is NOT the case. Most Hotmail (and
MSN Messenger) sessions will be across several servers, typically somewhere
between 2-5 servers depending on the length of the session.
More information about the list