RE: /instmsg/alias/annoying_web_logs ;)

["Shawn K. Hall (RA/Security)" <Security () ReliableAnswers com>]

Hi Dave,

> I get billions of these things too, its part of some
> MSN groups/chat thing, essentially it takes requests
> the "alias" of the email address (dave () immunitysec com
> => /instmsg/alias/dave). Might be fun to send back
> some looooong responses ;) My favorites are all the
> ones that originate from microsoft "tide"
> addresses... They send me some funny referrers from
> their intranet servers once in a while too.

What you're seeing is actually from Exchange. It serves as a
instant messaging service available through Outlook 2000 and
2002 when used in corporate mode with Exchange to provide
variable access methods to contact an individual. The request
itself is a "discovery" request to determine whether your server
'supports' instant messaging via Microsoft's protocol(s). The
reason you get them at "/instmsg/alias/dave" is because someone
that uses one of those clients added you to their address book,
which then triggered their exchange server to poll your server
(based on your email address) to see if it supported that
protocol.

There is a 'loosely' supportive list of the headers required to
support this protocol on alternate platforms if you are
interested. It functions via SOAP - sending xml headers within
the request that identify certain behavioral properties. The
specs are available at MS' website under the services listing.

Oh - and since it is an Exchange function - it's not only
clients that would likely be vulnerable, but Exchange Server,
too.

Regards,

Shawn K. Hall
http://ReliableAnswers.com/