Jump to content

mx1.hotmail.com False Positive


RDLTech
 Share

Recommended Posts

Looks like Malwarebytes is blocking just the MX record, not the A, NS or anything else, it is

easy enough to prove to yourself.

Simply open a command prompt

type nslookup mx1.hotmail.com, you will see it return a 127.42.x.x.

close malwarebytes, clear cache on the PC by ipconfig /flushdns,

run nslookup mx1.hotmail.com and it works normally.

This is causing emails to hotmail to be blocked.

Thank you for investigating.

RDLTech

Link to post
Share on other sites

This will help: I attached the log also

this is the dns request copy.paste with malwarebytes running, scroll down to bold area, after closing malwarebytes, clearing cache and

doing nslookup again is in bold.

 

Response received from 127.0.0.1:

Authoritative response (AA): No
Recursion available (RA): Yes
Truncated (TC): No

Answer section:
A-record for mx1.hotmail.com:
    IP address: 127.42.0.19
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.18
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.17
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.16
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.15
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.14
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.13
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.12
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.11
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.10
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.9
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.8
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.7
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 127.42.0.6
    TTL = 1800 (30 minutes)

Additional section:
EDNS0 options:
    UDP payload size: 1280
    DNSSEC OK (DO flag): No
 

Without Malwarebytes running on the DNS server, and exchange 2010 server.

Response received from 127.0.0.1:

Authoritative response (AA): No
Recursion available (RA): Yes
Truncated (TC): No

Answer section:
A-record for mx1.hotmail.com:
    IP address: 207.46.8.167
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.37.72
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.33.119
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.92.168
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.37.104
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 134.170.2.199
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.92.152
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.33.135
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 207.46.8.199
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.54.188.110
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.54.188.94
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.37.88
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.54.188.72
    TTL = 1800 (30 minutes)
A-record for mx1.hotmail.com:
    IP address: 65.55.92.136
    TTL = 1800 (30 minutes)

Additional section:
EDNS0 options:
    UDP payload size: 1280
    DNSSEC OK (DO flag): No

 

protection-log-2016-10-05.zip

Link to post
Share on other sites

  • Staff

Hello RDLTech,

Unfortunately, there are no detections in the logs.

Please keep in mind that Malwarebytes Anti-Malware does not support any server OS at this time.

From this link -

Software Requirements
Windows 10 (32/64-bit)
Windows 8.1 (32/64-bit)
Windows 8 (32/64-bit)
Windows 7 (32/64-bit)
Windows Vista (Service Pack 1 or later, 32/64-bit)
Windows XP (Service Pack 2 or later, 32-bit only)
Internet Explorer 6 or newer

Do you get any notifications from MBAM when you try to contact *.hotmail.com?

Edited by Dashke
Link to post
Share on other sites

Sorry for the delay. I can't reproduce this block thus far. We're not blocking the hostname, parent nor the IPs it resolves to.

An NSLookup for it here (checked on 4 different machines) shows the results correctly;

> mx1.hotmail.com.
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    mx1.hotmail.com
Addresses:  65.55.37.104
          207.46.8.167
          65.54.188.72
          65.55.37.72
          65.55.33.135
          65.55.33.119
          65.55.92.136
          207.46.8.199
          134.170.2.199
          65.55.92.168
          65.55.92.152
          65.54.188.110
          65.54.188.94
          65.55.37.88

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.