[Dshield] Help decoding Hotmail URLs

Paul Melson pmelson at gmail.com
Tue Jan 9 18:59:01 GMT 2007

-----Original Message-----
Subject: [Dshield] Help decoding Hotmail URLs

> Does anyone have any experience in decoding the Hotmail URLs as logged by
an M$ ISA server?

What do you mean by 'decoding' ?

In mail-sent POST's, the message is sent in plain text with some encoding of
punctuation and whitespace characters.  User ID's are usually present in the
session cookies.  I don't recall any uniquely identifiable data being in the
URL, however, so if that's all you have in the ISA logs, they may not be

> We have an e-mail sent from a Hotmail account, from internal to our
network, to a user on our network. I 
> can see from proxy logs who was accessing hotmail at the time, but need to
break it down a bit further 
> before jumping on folks PC's.

I wouldn't wait to collect data from PC's, especially if this is a situation
where HR and/or law enforcement need to be involved.  I'd start taking
images of all of the possible client machines now before any more evidence
is lost.

> Would it be fair to say that the entire session would have been against
by21fd.bay21.hotmail.msn.com ?

You can almost be guaranteed that this is NOT the case.  Most Hotmail (and
MSN Messenger) sessions will be across several servers, typically somewhere
between 2-5 servers depending on the length of the session.


More information about the list mailing list