I received a notification of suspicious activity from Microsoft at 2:09pm
I am in Australia - GMT+10 - I thought I also saw a previous notification but I can't see that in the records
However I have now logged in and it is logged as from IP 13.101.169.237
Which is registered to Microsoft - Is this just a false report - I have changed my password - but as that is microsoft I'm not sure if I should do something more
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2022, American Registry for Internet Numbers, Ltd.
#
NetRange: 13.64.0.0 - 13.107.255.255
CIDR: 13.96.0.0/13, 13.64.0.0/11, 13.104.0.0/14
NetName: MSFT
NetHandle: NET-13-64-0-0-1
Parent: NET13 (NET-13-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2015-03-26
Updated: 2021-12-14
Ref: https://rdap.arin.net/registry/ip/13.64.0.0
OrgName: Microsoft Corporation
OrgId: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US
RegDate: 1998-07-10
Updated: 2022-03-28
Related
An application, which obviously uses Chilkat plugin, does not correctly send E-mails anymore using an Office 365 account. After a migration from on-premise exchange to Microsoft 365, the account and server settings were changed at end of March this year. Furthermore, client authentication needed to be disabled for the mailbox. After that, sending E-mails from the application had worked. Now, it again doesn't. Yesterday, one E-mail could successfully be sent after a computer restart - the next ones failed again.
I'm stuck to find the cause of the error and also I don't know, what data exactly is sent from the application during the connection, which makes the analysis more difficult.
I found this post mentioning that entries for TLS 1.0 need to be in the registry. Those were missing, but there were entries for TLS 1.2, so I didn't assume this is an issue, espccially because the entries concerning cryptography (also mentioned in the post) did already exist. In the meantime, I have added them nonetheless.
Below is the Chilkat Log, showing that - after the server is ready - the clientHandshake2 fails with error code 0x2746.
The support person of the application he couldn't find any problem and asked concerning that error code - what i assumed he should be able to examine. When I talked to him on the phone, I found out that he doesn't know more about Chilkat than I do. He mentioned an interesting point, which need to be double checked: As far as he was informed from the user directly - or how he had understood it - the error doesn't show up, if the user chooses another "Mandant" (client) in the application and sends E-mails from there.
Can someone help identify the cause of the error?
SendEmail:
DllDate: May 25 2017
ChilkatVersion: 9.5.0.68
UnlockPrefix: WERNERMAILQ
Architecture: Little Endian; 32-bit
Language: Visual C++ 2017 (32-bit)
VerboseLogging: 0
sendEmailInner:
renderToMime:
createEmailForSending:
Auto-generating Message-ID
--createEmailForSending
renderToMime: Elapsed time: 0 millisec
--renderToMime
sendMimeInner:
ensureSmtpSession:
ensureSmtpConnection:
SmtpHost: smtp.office365.com
SmtpPort: 587
SmtpUsername: edith.beer#halten.ch
SmtpSsl: 0
StartTLS: 1
smtpConnect:
smtpHostname: smtp.office365.com
smtpPort: 587
connectionIsReady:
Need new SMTP connection
--connectionIsReady
smtpSocketConnect:
socketOptions:
SO_SNDBUF: 262144
SO_RCVBUF: 4194304
TCP_NODELAY: 1
SO_KEEPALIVE: 1
--socketOptions
--smtpSocketConnect
smtpGreeting:
readSmtpResponse:
SmtpCmdResp: 220 AM0PR02CA0163.outlook.office365.com Microsoft ESMTP MAIL Service ready at Mon, 23 Aug 2021 11:51:12 +0000
--readSmtpResponse
--smtpGreeting
startTLS:
sendCmdToSmtp:
SmtpCmdSent: EHLO EWGH-N-FV<CRLF>
--sendCmdToSmtp
readSmtpResponse:
SmtpCmdResp: 250-AM0PR02CA0163.outlook.office365.com Hello [213.221.219.37]
SmtpCmdResp: 250-SIZE 157286400
SmtpCmdResp: 250-PIPELINING
SmtpCmdResp: 250-DSN
SmtpCmdResp: 250-ENHANCEDSTATUSCODES
SmtpCmdResp: 250-STARTTLS
SmtpCmdResp: 250-8BITMIME
SmtpCmdResp: 250-BINARYMIME
SmtpCmdResp: 250-CHUNKING
SmtpCmdResp: 250 SMTPUTF8
--readSmtpResponse
sendCmdToSmtp:
SmtpCmdSent: STARTTLS<CRLF>
--sendCmdToSmtp
readSmtpResponse:
SmtpCmdResp: 220 2.0.0 SMTP server ready
--readSmtpResponse
clientHandshake:
clientHandshake2:
readHandshakeMessages:
WindowsError: Eine vorhandene Verbindung wurde vom Remotehost geschlossen.
WindowsErrorCode: 0x2746
maxToReceive: 5
Failed to receive data on the TCP socket
Failed to read beginning of SSL/TLS record.
b: 0
dbSize: 0
nReadNBytes: 0
idleTimeoutMs: 30000
--readHandshakeMessages
--clientHandshake2
--clientHandshake
Client handshake failed. (1)
connectionClosed: 0
Failed to establish TLS connection.
--startTLS
--smtpConnect
--ensureSmtpConnection
--ensureSmtpSession
--sendMimeInner
--sendEmailInner
Failed.
--SendEmail
--ChilkatLog
23.08.2021 13:48:27 -F- Beim Versand der Lohnabrechnung per Email an Mitarbeiter(in) Nadine Aeschlimann ist ein Fehler aufgetreten!
You are using an old version of Chilkat. Try testing with the latest version.
In the meantime we could solve it.
The reason was that the outgoing requests were blocked by the firewall. Strangely, a few of them went through, but not all. This is the reason why a network issue was initially not in the focus of our investigation.
From my raw server logs, I found these:
52.42.136.103 02/Aug/2016:17:58:12 GET /administrator/
54.234.186.225 03/Aug/2016:16:48:55 GET /administrator/
54.149.57.2 04/Aug/2016:18:40:55 GET /administrator/
52.40.119.32 06/Aug/2016:09:34:37 GET /administrator/
52.40.119.32 08/Aug/2016:06:02:45 GET /administrator/
The ip's all belong to Amazon Technologies (and I don't have an /admin directory).
I'm used to seeing that kind of random probe thing (/wp-admin, /wp-blog/, /dir, ... ) from Russia and Vietnam and so on, and I've always assumed there was some nefarious motive behind it. Is there? Why would Amazon be doing that? Is Jeff Bezos out of control?
Amazon itself is not crawling your site but more likely to be some of their EC2 users (i.e. rented servers on the cloud). See below for email address to contact Amazon if you think their users are doing something illegal or abusive
whois 52.40.119.32
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=52.40.119.32?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 52.32.0.0 - 52.63.255.255
CIDR: 52.32.0.0/11
NetName: AT-88-Z
NetHandle: NET-52-32-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 2015-09-02
Updated: 2015-09-02
Ref: https://whois.arin.net/rest/net/NET-52-32-0-0-1
OrgName: Amazon Technologies Inc.
OrgId: AT-88-Z
Address: 410 Terry Ave N.
City: Seattle
StateProv: WA
PostalCode: 98109
Country: US
RegDate: 2011-12-08
Updated: 2014-10-20
Comment: All abuse reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref: https://whois.arin.net/rest/org/AT-88-Z
OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: amzn-noc-contact#amazon.com
OrgTechRef: https://whois.arin.net/rest/poc/ANO24-ARIN
OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: abuse#amazonaws.com
OrgAbuseRef: https://whois.arin.net/rest/poc/AEA8-ARIN
OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-4064
OrgNOCEmail: amzn-noc-contact#amazon.com
OrgNOCRef: https://whois.arin.net/rest/poc/AANO1-ARIN
I have found a few topics related to the same issues, but the solution for them was a miss-configuration of the smtp settings.
I am using symfony 3.0 and latest FOSUserBundle. My config settings are:
fos_user:
db_driver: orm
firewall_name: main
user_class: AppBundle\Entity\User
resetting:
email:
template: email/password_resetting.email.twig
registration:
form:
type: AppBundle\Form\RegistrationType
confirmation:
enabled: true
from_email:
address: registration#site.com
sender_name: 'Our Team'
swiftmailer:
transport: "%mailer_transport%"
host: "%mailer_host%"
port: "%mailer_port%"
username: "%mailer_user%"
password: "%mailer_password%"
spool: { type: memory }
I am able to send other emails from the same project, using the same swiftmailer settings.
I have checked the web developer tool and the email is prepared for sending
Web profiler - email area
The registration email is not received in the inbox or spam folders.
Could you let me know if I have missed anything in the configuration files that prevents the registration email from being sent?
Thanks,
Lucia
I found a solution for my problem. The registration email address had to be the same as the one used for the swiftmailer username settings. Having it set to a different email address did not work for me.
We had paypal setup all working for PayPal API and Payflow pro then we had to change from a Australian account to a UK account. But now the Pro side gives this error response. We've got limited access to the paypal account it self.
Partner: xxxxxxx Merchant Login(Vender): xxxxxxxxxxxx User: xxxxxxxxx
Password: xxxxxxxxxxxxxxxxxxx Host Address :payflowpro.paypal.com Host
port=443
This is the request we are sending to PayPal:
PARTNER=xxxxxxxx&VENDOR=xxxxxxx&USER=xxxxxx&PWD=xxxx&TENDER=C&TRXTYPE=R&ACTION=A&ACCT=xxxxXXXXXXXXxxxx&EXPDATE=xxxx&COMMENT1[16]=Regstration
- FS&START=02062014&TERM=0&CVV2=xxx&AMT=35.00&PAYPERIOD=MONT&MAXFAILPAYMENTS=0&RETRYNUMDAYS=2&PROFILENAME[14]=xxxxxxxxxxxxx&COMPANYNAME[2]=FS&NAME[12]=xxxx
xxxxxx&FIRSTNAME[6]=xxxxxx&LASTNAME[5]=xxxxx&PHONENUM=xx12345678&EMAIL[24]=xxxxxxxxxxxxxxxxxxxxxxxx&STREET[15]=xxxxxxxx
Street&CITY[7]=xxxxxxx&STATE[3]=NSW&ZIP=xxxx&COUNTRY=AU&OPTIONALTRX=S&OPTIONALTRXAMT=35.00
We are getting the following error response from PayPal:
RESULT=1000&RESPMSG=Generic processor error: 11581-Profile description
is invalid
Google has not really helped. I am hoping a few smart SO guys can assist.
Thank you,
Warren.
I have several WHOIS servers for which I want to have a single proxy. The proxy should forward requests to appropriate servers based on the data in the query. How to approach this problem?
Step 1 read the RFC for WHOIS
Step 2 implement a mock server with Net::Server
Step 3 implement the proxy using your mock server and Net::Whois::Proxy or some other WHOIS module
A quick scan of the RFC seems to say that it is just a simple text based protocol that expects one CRLF terminated line and then sends a blob of CRLF terminate lines and closes the socket.
Yep, it really looks that simple, given this code
#!/usr/bin/perl
{
package Whois;
use strict;
use warnings;
use parent 'Net::Server';
sub process_request {
my $request = <>;
print "you sent me $request";
}
}
Whois->run;
you can say
whois -h localhost -p 20203 foo.com
and get back
you sent me foo.com
Given the "high-load" tag, you will probably want to switch over to Net::Server::PreForkSimple personality when you are done with testing.
And just because I was bored:
#!/usr/bin/perl
package Whois {
use strict;
use warnings;
use parent 'Net::Server::PreFork';
use Net::Whois::Raw;
my %handler = (
org => "whois.publicinterestregistry.net",
);
sub process_request {
(my $request = <>) =~ s/[.]([^.]+)\x{0d}\x{0a}/.$1/;
print exists $handler{$1} ?
whois $request, $handler{$1} :
"I don't know where to look for $request\r\n";
}
}
Whois->run(
user => "nobody",
group => "nobody",
port => 43,
min_servers => 1, #min number of children
max_servers => 10, #max number of children
min_spare_servers => 1, #fork if we don't have this many waiting
max_spare_servers => 5, #kill if we have this many waiting
max_requests => 10_000, #num of requests before killing a child
);
which when I run
sudo perl whois.pl
and then
whois -h localhost foo.org
gives us
NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public Interest Registry
registry database. The data in this record is provided by Public Interest Registry
for informational purposes only, and Public Interest Registry does not guarantee its
accuracy. This service is intended only for query-based access. You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations. All
rights reserved. Public Interest Registry reserves the right to modify these terms at any
time. By submitting this query, you agree to abide by this policy.
Domain ID:D1608104-LROR
Domain Name:FOO.ORG
Created On:10-Jan-1995 05:00:00 UTC
Last Updated On:07-Mar-2011 00:26:43 UTC
Expiration Date:09-Jan-2012 05:00:00 UTC
Sponsoring Registrar:Fabulous.com Pty Ltd. (R133-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:fabwpp-000700385
Registrant Name:Domain Hostmaster, CustomerID : 85519846801225
Registrant Organization:Whois Privacy Services Pty Ltd
Registrant Street1:PO Box 923
Registrant Street2:
Registrant Street3:
Registrant City:Fortitude Valley
Registrant State/Province:QLD
Registrant Postal Code:4006
Registrant Country:AU
Registrant Phone:+61.730070090
Registrant Phone Ext.:
Registrant FAX:+61.730070091
Registrant FAX Ext.:
Registrant Email:85519846801225-959797#whoisprivacyservices.com.au
Admin ID:fabwpp-000700385
Admin Name:Domain Hostmaster, CustomerID : 85519846801225
Admin Organization:Whois Privacy Services Pty Ltd
Admin Street1:PO Box 923
Admin Street2:
Admin Street3:
Admin City:Fortitude Valley
Admin State/Province:QLD
Admin Postal Code:4006
Admin Country:AU
Admin Phone:+61.730070090
Admin Phone Ext.:
Admin FAX:+61.730070091
Admin FAX Ext.:
Admin Email:85519846801225-959797#whoisprivacyservices.com.au
Tech ID:fabwpp-000700385
Tech Name:Domain Hostmaster, CustomerID : 85519846801225
Tech Organization:Whois Privacy Services Pty Ltd
Tech Street1:PO Box 923
Tech Street2:
Tech Street3:
Tech City:Fortitude Valley
Tech State/Province:QLD
Tech Postal Code:4006
Tech Country:AU
Tech Phone:+61.730070090
Tech Phone Ext.:
Tech FAX:+61.730070091
Tech FAX Ext.:
Tech Email:85519846801225-959797#whoisprivacyservices.com.au
Name Server:NS1.HITFARM.COM
Name Server:NS2.HITFARM.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned
whois.publicinterestregistry.net
I'm no expert on whois, but Net::Whois::Proxy would seem to be what you want.