FYI Microsoft Attack this evening
- Thread starter Dixie McCall
- Start date
alexm
Active member
I think the IP range for Microsoft's email (hotmail, outlook, etc.) is 147.47.0.0/16Could Microsoft be using Des Moines to do mail (hotmail, outlook.com etc.) amongst other things?
I think by blocking Microsoft data center I also stopped email going to Microsoft’s email addresses! They have piled up waiting to send.
It comes back with one of 104.47.XX.XX whether you say outlook.com, hotmail.com etc.
This means if you run CSF or another firewall you can block the rest I think:
Code:
168.61.0.0/16 # Microsoft Des Moines - do not delete
104.208.0.0/16 # Microsoft Des Moines - do not delete
104.43.0.0/16 # Microsoft Des Moines - do not delete
52.176.0.0/16 # Microsoft Des Moines - do not delete
52.173.0.0/16 # Microsoft Des Moines - do not delete
52.165.0.0/16 # Microsoft Des Moines - do not delete
40.122.0.0/16 # Microsoft Des Moines - do not delete
40.113.0.0/16 # Microsoft Des Moines - do not delete
40.122.0.0/16 # Microsoft Des Moines - do not delete
40.86.0.0/16 # Microsoft Des Moines - do not delete
40.83.0.0/16 # Microsoft Des Moines - do not delete
40.78.0.0/16 # Microsoft Des Moines - do not delete
40.77.0.0/16 # Microsoft Des Moines - do not delete
40.69.0.0/16 # Microsoft Des Moines - do not delete
23.101.0.0/16 # Microsoft Des Moines - do not delete
23.100.0.0/16 # Microsoft Des Moines - do not delete
23.99.0.0/16 # Microsoft Des Moines - do not delete
20.241.0.0/16 # Microsoft Washington - do not delete
20.169.0.0/16 # Microsoft Washington - do not delete
20.29.0.0/16 # Microsoft Des Moines - do not delete
13.89.0.0/16 # Microsoft Des Moines - do not delete
13.86.0.0/16 # Microsoft Des Moines - do not delete
13.67.0.0/16 # Microsoft Des Moines - do not deleteYes, there's going to be some that are unfairly blocked and there will be some that get past... but it's a tiny amount.
Last edited:
Baby Community
Well-known member
Set a strategy for ddos... I've had countless attacks. The latest ddos attacks were effective attacks. I have set a rule to ban the entry of the whole world when the attack comes from outside of Turkey. But this system has lost a lot of hits to the baby community. I ate ddos every day because...!
Baby Community
Well-known member
It is very difficult to communicate with search engines... It is even impossible...!!!
TPerry
Well-known member
Microsoft is well more than a search engine.
The prime issue here is that the attacks/scans are apparently coming from an MS Azure instance (think AWS E2).
webbouk
Well-known member
I'm beginning to think that this and this (https://xenforo.com/community/threa...isting-accounts-with-no-need-to-login.211713/) are connected.
Possibly scanning websites looking for older registered profiles which match compromised username/email and passwords from a data breach/dump several years ago (not XenForo).
The scans continue until they find a match and then use that member's profile to post spam.
Possibly scanning websites looking for older registered profiles which match compromised username/email and passwords from a data breach/dump several years ago (not XenForo).
The scans continue until they find a match and then use that member's profile to post spam.
Yes, I suspect so too.
FYI Microsoft Attack this evening
How did you sort the MS IP addresses from other Guest addresses? If you look at the thread, we've all been affected by the same IP ranges, all coming from Microsoft Data Centers, same User Agent and from countries where at least I don't usually have visitors or registered users.
xenforo.com
And they won't do nothing to solve it.... this is not from today or yesterday, its a problem going since a lot of days....
TPerry
Well-known member
Not really surprised.. you ever have to deal with them to get your domain whitelisted on their HotMail/Live/Outlook service?
Although I'm pretty sure when a whole swathe of their IP's start getting on the blocked lists, they'll decide to do something about it when the ones actually paying them money start complaining about lack of connectivity.
Dixie McCall
Well-known member
Friendly FYI… Im getting a lot of attacks from Taiwan and Singapore lately. I had to close to guest for a while until I had time to fix. Took about two days and Singapore is still trying. Started after a very long view of my community from a few China scans. China was particularly interested in my TOS page.
I’m attaching two source IPs for you to ban asap. I’m also getting some suspicious views from D.C. 
I’m attaching two source IPs for you to ban asap. I’m also getting some suspicious views from D.C. Attachments
Dixie McCall
Well-known member
Also Facebook sent 29 bots from one post mentioning my community. Not sure why they needed so many. 29! lol
TPerry
Well-known member
This happens regularly if content on your site gets posted to FB, and then shared... for some reason they send their FB bots in full force. I've had upwards of 15 when I was checking shortly after an image got shared on a FB page then shared from there. I guess they want to see if they can find anything else to make some money from.
As for Singapore/Taiwan... I'm seeing a lot of "bot" type scans originating from those locations... and use CF to block the strings used in those probes. The majority of the ones I am finding blocked actually are originating in the U.S.
Dixie McCall
Well-known member
Suzanne O
Well-known member
You can do this. Do a range ban of any bot you see on your forum.
admincp > users > ban ip address > add range banned ip (192.168.*) > submit
Suzanne O
Well-known member
It works for me. It stops microsoft's cloud users from viewing the forum.
Suzanne O
Well-known member
You are missing my point though. Microsoft's cloud ip addresses always have the same ip binary bits so you can with those ones.
Normal ip addresses don't get range banned.