.phx.gbl

After doing my monthly round of Windows update today, I did my usual monitoring and stuff and something rather odd caught my eye. MSN Messenger was connected to a dubious looking address of by2msg1104216.phx.gbl:1863. .gbl is not a registered TLD that I know off. Worried at this point about my system security was being compromised and connection being hijacked, I pulled the plug on MSN Messenger.

Curious, I performed a NS lookup but the address couldn’t be resolved. I proceeded with Googling up the domain. The result was scant, with 2 useful articles turning up. This did however qualm my fears, as it appears the domain was tied to MS, but it opened up a whole new level of conspiracy.

The article here (http://artific.com/articles/2005/12/27/a_practically_u/) and some comments mentioned that various blocks of IP address on the 64.4.8.0 and 207.46.0.0 network resolves to the .phx.gbl domain. Another sighting was reported at this site (http://www.zenatode.org.uk/ian/internet/hotmail.xhtml) too. The users there were pretty bewildered by the whole incident too.

Reconnecting to MSN Messenger, this time with both TCPView and Ethereal running, MSN Messenger was observed connecting again, to the dubious looking address of by1msg3275914.phx.gbl. Ethereal revealed the IP from the packet header as 207.46.107.88.

A reverse dns lookup was done on dnsstuff.com (http://www.dnsstuff.com/tools/ptr.ch?ip=207.46.107.88) which confirmed that the IP in question did indeed resolve to by1msg3275914.phx.gbl.

For the less technically inclined, an analogy of the above scenario would be that: A = B but B != A.

No one could fathom why MS would do such a thing, but the bigger question here is, why chose.phx.gbl instead of something more recognizable, and what does phx and gbl actually stand for? I sense an elaborate conspiracy.

[Further comments on this post has been disabled on Dec 21, 2011]

About these ads

27 thoughts on “.phx.gbl

  1. The above phx.gbl was sent in a message header from an obvious phishing scam. They requested returned email be sent to a czech domain. This same email contained a “microsoft” link that I am pretty sure is false because they use the old microsoft symbol on it. Just a heads up.

  2. What’s the purpose of an org like ICANN whom oversee the creation and use of TLD’s if a troop like MS can just create their own. I’m not oblective on a TLD like .GBL (Dot Global) but then please do follow established procedures. The internet is based on all participants following the set RFC’s.

  3. A note about .gbl not being a registered TLD. Back in 2001 there was a TLD .con, where every address (*.con) went to the same webpage which was “Con’s Home Page”. So obviously it’s possible to get an unregistered TLD if you pull some strings.

    But creating TLD out of thin air is stupid, once one person does it, another will. Then the whole set of regulations start to fall apart.

  4. I’m surprised nobody else has taken the time to put out the conspiracy theory fires. PHX.GBL is the domain that all of Microsoft’s internet-facing servers (in the US, at least) are joined to. MSN, Hotmail, MSN/Live Messenger, Live Search/Bing are all hosted on servers in this domain. I don’t know why connections to Messenger go straight through to .phx.gbl, since everything else is forwarded through their walls of F5′s.

  5. I just got sent a funky email suggesting I update my hotmail account data via REPLY or have my account shut down…I did a source check and found …@phx.gbl embeded in the mail.

  6. Nope phx.gbl stands for phoenix global intelligence. http://en.wikipedia.org/wiki/Phoenix_Global_Intelligence_Systems Yeah, it is the U.S. governments spy service. And they use it to moniter and watch people through messenger. Be careful it came up on my computer but as 10.7.something.100 and it does not resolve it is a blackhole. Don’t answer the emails or anything if Messenger is connecting to it, they are spying on you.

  7. I telnetted into mail.messaging.microsoft.com and spoofed an email to my Live account (“Live” as in hotmail) and entered my working gmail account as the sender. I then logged into my Live account and replied to the spoofed email. The message did make it back to my gmail account, and when viewing the headers of that message, the Message-ID looked like this, “SNT131-w1006837E873BE5F2BEE432C2230@phx.gbl”. I googled phx.gbl and stumbled on this thread. Phx.gbl must be somehow tied to Microsoft as it was their mail server, mail.messaging.microsoft.com, that I originally sent my spoofed email from.

  8. I have been cyber stalked by a user/users who use this TLD…phx.gbl…I have contacted RCMP, Windows Live Support, Windows Live Abuse, I hired a private investigator..

    If am looking for help in resolving this issue. Everything that I have read here makes perfect sense about the arrogance of which the users believe they will never be caught…X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9Mg==
    X-Message-Status: n:0
    X-SID-PRA: mike mcclinton
    X-SID-Result: Pass
    X-AUTH-Result: PASS
    X-Message-Info: JGTYoYF78jFDl0xlLugtaVEb1XPrN3hMxah1Soq8ROPmnHoHQEL5e97Guv5HsBxsxnGAKmDbnikwY1yGUsEKYhmhcWcjrFBe
    Received: from bay0-omc1-s26.bay0.hotmail.com ([65.54.190.37]) by bay0-hmmc2-f20.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Mon, 5 Apr 2010 12:32:11 -0700
    Received: from BAY140-W19 ([65.54.190.61]) by bay0-omc1-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Mon, 5 Apr 2010 12:31:23 -0700
    Message-ID:
    Return-Path: muscleman73@hotmail.com
    Content-Type: multipart/alternative;
    boundary=”_a276291b-6abe-4ed3-837f-789c578db882_”
    X-Originating-IP: [172.129.80.224]
    From: mike mcclinton
    To:
    Subject:
    Date: Mon, 5 Apr 2010 15:31:23 -0400
    Importance: Normal
    MIME-Version: 1.0
    X-OriginalArrivalTime: 05 Apr 2010 19:31:23.0818 (UTC) FILETIME=[93AE08A0:01CAD4F6]

    –_a276291b-6abe-4ed3-837f-789c578db882_
    Content-Type: text/plain; charset=”iso-8859-1″
    Content-Transfer-Encoding: quoted-printable

    you called the dumb frenchmen at 3:25 pm today … your phone is tapped ..=
    .. you asked for Ken Smith .. you are too much slut … your phone is tappe=

  9. X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9Mg==
    X-Message-Status: n:0
    X-SID-PRA: mike mcclinton
    X-SID-Result: Pass
    X-AUTH-Result: PASS
    X-Message-Info: JGTYoYF78jFDl0xlLugtaVEb1XPrN3hMxah1Soq8ROPmnHoHQEL5e97Guv5HsBxsxnGAKmDbnikwY1yGUsEKYhmhcWcjrFBe
    Received: from bay0-omc1-s26.bay0.hotmail.com ([65.54.190.37]) by bay0-hmmc2-f20.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Mon, 5 Apr 2010 12:32:11 -0700
    Received: from BAY140-W19 ([65.54.190.61]) by bay0-omc1-s26.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
    Mon, 5 Apr 2010 12:31:23 -0700
    Message-ID:
    Return-Path: muscleman73@hotmail.com
    Content-Type: multipart/alternative;
    boundary=”_a276291b-6abe-4ed3-837f-789c578db882_”
    X-Originating-IP: [172.129.80.224]
    From: mike mcclinton
    To:
    Subject:
    Date: Mon, 5 Apr 2010 15:31:23 -0400
    Importance: Normal
    MIME-Version: 1.0
    X-OriginalArrivalTime: 05 Apr 2010 19:31:23.0818 (UTC) FILETIME=[93AE08A0:01CAD4F6]

    –_a276291b-6abe-4ed3-837f-789c578db882_
    Content-Type: text/plain; charset=”iso-8859-1″
    Content-Transfer-Encoding: quoted-printable

    you called the dumb frenchmen at 3:25 pm today … your phone is tapped ..=
    .. you asked for Ken Smith .. you are too much slut … your phone is tappe=

  10. 67.69.254.243

    OrgName: Bell Canada
    OrgID: LINX
    Address:
    City: toronto
    StateProv: ON
    PostalCode: K1G-3J4
    Country: CA

    NetRange: 67.68.0.0 – 67.71.255.255
    CIDR: 67.68.0.0/14
    NetName: BELLNEXXIA-11
    NetHandle: NET-67-68-0-0-1
    Parent: NET-67-0-0-0-0
    NetType: Direct Allocation
    NameServer: TOROON63NSZP05.SRVR.BELL.CA
    NameServer: TOROONDCNSZS05.SRVR.BELL.CA
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2002-04-18
    Updated: 2006-11-21

    OrgAbuseHandle: ABUSE1127-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-877-877-2426
    OrgAbuseEmail: abuse@bellnexxia.net

    OrgAbuseHandle: ABAI1-ARIN
    OrgAbuseName: Abuse Business abuse issues
    OrgAbusePhone: +1-877-877-2426
    OrgAbuseEmail: abuse@bellnexxia.net

    OrgTechHandle: SYSAD1-ARIN
    OrgTechName: NOC technical Support
    OrgTechPhone: +1-800-565-0567
    OrgTechEmail: inoc@bell.ca

    # ARIN WHOIS database, last updated 2010-04-21 20:00

  11. I am trying to post another document but it will not come up,…this is part of it

    Identification Report
    muscleman73@hotmail.com
    Computer 172.129.80.224 has been found. There is a good chance that it is located in or around Washington, DC, USA as systems nearby are known to be located in this area. The organization or individual who manages the system is located in [America], but this can be a distance away from the location of the system itself
    • The sender IP is – 172.129.80.224
    • The sender of this email appeared to have the address muscleman73@hotmail.com. This information is easily faked so should not be treated as conclusive.
    This is valuable data when tracking the end location because it helps qualify the actual final position. In some instances the final location has been derived from the network registration details, which is often the head office location for the Internet Service Provider (ISP). The ISP location is often local to the destination traced, but sometimes also located elsewhere, particularly in the case of large national ISPs. The physical (authoritative) locations of systems in last 2 or 3 hops of the route provide helpful location information as they are often in the vicinity of the destination being traced. Authoritative locations are shown in bold, locations derived from registration details appear in italic.

  12. Network Owner Information Domain Owner Information

    OrgName: America Online
    OrgID: AOL
    Address: 22000 AOL Way
    City: Dulles
    StateProv: VA
    PostalCode: 20166
    Country: US

    NetRange: 172.128.0.0 – 172.191.255.255
    CIDR: 172.128.0.0/10
    NetName: AOL-172BLK
    NetHandle: NET-172-128-0-0-1
    Parent: NET-172-0-0-0-0
    NetType: Direct Allocation
    NameServer: DAHA-01.NS.AOL.COM
    NameServer: DAHA-02.NS.AOL.COM
    NameServer: DAHA-07.NS.AOL.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2000-03-24
    Updated: 2003-08-08

    RTechHandle: AOL-NOC-ARIN
    RTechName: America Online, Inc.
    RTechPhone: +1-703-265-4670
    RTechEmail: domains@aol.net

    OrgAbuseHandle: AOL382-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-703-265-4670
    OrgAbuseEmail: abuse@aol.net

    OrgNOCHandle: AOL236-ARIN
    OrgNOCName: NOC
    OrgNOCPhone: +1-703-265-4670
    OrgNOCEmail: noc@aol.net

    OrgTechHandle: AOL-NOC-ARIN
    OrgTechName: America Online, Inc.
    OrgTechPhone: +1-703-265-4670
    OrgTechEmail: domains@aol.net

    # ARIN WHOIS database, last updated 2010-04-20 20:00
    The following information describes the organization or individual who registered the domain name aol.com. There can be many domain contacts however Corporate and Administrator are usually the best contact references.

    Domain Name………. aol.com
    Creation Date…….. 1995-06-22
    Registration Date…. 2009-10-03
    Expiry Date………. 2010-11-24
    Organisation Name…. AOL LLC
    Organisation Address. 22000 AOL Way
    Organisation Address.
    Organisation Address. Dulles
    Organisation Address. 20166
    Organisation Address. VA
    Organisation Address. UNITED STATES

    Admin Name……….. Domain Admin
    Admin Address…….. AOL LLC
    Admin Address…….. 22000 AOL Way
    Admin Address…….. Dulles
    Admin Address…….. 20166
    Admin Address…….. VA
    Admin Address…….. UNITED STATES
    Admin Email………. domain-adm@corp.aol.com
    Admin Phone………. +1.7032654670
    Admin Fax…………

    Tech Name………… DNS Admin
    Tech Address……… AOL LLC
    Tech Address……… 22000 AOL Way
    Tech Address……… Dulles
    Tech Address……… 20166
    Tech Address……… VA
    Tech Address……… UNITED STATES
    Tech Email……….. domains@aol.net
    Tech Phone……….. +1.7032654670
    Tech Fax………….
    Name Server………. DNS-02.NS.AOL.COM
    Name Server………. DNS-01.NS.AOL.COM
    Name Server………. DNS-07.NS.AOL.COM
    Name Server………. DNS-06.NS.AOL.COM

  13. Rosebrier, there’s not very much to go from based on that. So far, the general consensus seems to be that .phx.gbl is the top level domain used by Microsoft. There’s nothing conclusive about information you have obtained, that than said person made use of hotmail to send you that email. I wish I could shed more light, but I’m afraid I can’t.

  14. Someone has suggested that phx.gbl be included in the Wikipedia entry about pseudo-top-level domains, but it needs someone to come forward with a reliable source of information – right now it is just speculation.

  15. Friday, July 08, 2011 7:39 AM
    Windows Live Maribel P
    Hi rosebrier,

    Thank you for bringing this into our attention, we will let our Engineering Department know about this. With regards to the phx.gbl, we also need to still check on that for you.

    Thanks!

  16. The above post is from a thread from the Windows lIve solution centre. …I do not accept the statement that you make … “(So far, the general consensus seems to be that .phx.gbl is the top level domain used by Microsoft)”.

    I believe that the phx.gbl is in fact the phoenix global intelligence…

  17. Here is my mesage ID: (story below)
    BLU153-w4854A0182C4E80149B447EA3450@phx.gbl

    Well, there is a lot here, going back for a while…
    I stumbled here Googling “phx.gbl” because someone scammed all the addresses from my Messenger’s address book and has sent spams, spoofed as me, on these following dates:
    Today (obviously), July 4th, June 13th, 12th, 3rd, 2nd, and a few times before I realized the repetition. Each time I go bonkers, writing emails to anyone I can associate with the info the message headers. VERY frustrating to say the least.
    …the only reason I found out was all the bounce-backs I receive because many addresses are many, many years old and I have stopped using the account, actively, for years before this crap happened. The only activity on this account in the last 5 years was the subscription to MSN Messenger, as a requirement for a job I was working at. The job ended nearly 2 years before this crap started. I’ve NEVER had a computer virus in 15 years and I don’t spam. I barely email as I am old-fashioned and prefer conversation via voice and/or in-person. I am one of the least-likely to get spoofed as I minimize my exposure on the Internet and I have been VERY aware and protective of my Identity (real-world and Internet) so I have ruled out all other means of the spoofer aside one.
    MSN Messenger.
    …bastards…

  18. This phx.gbl is sending out emails to all of my contacts. I am not logged in to my email nor is my computer even on. And all of the emails have links to things I don’t / have never visited (porn sites, viagra sites, etc, etc). This started about 2 weeks ago. I am very cautious about where I browse, what I open up, etc. It is to the point that I deleted all of my contacts on the hopes it will stop these emails from going out. Virus scans, with current pattern, are not turning up anything. Below is sample of the email address. It changes after the BAY165 each time. Originating IP is same which shows some place in Canada with service provider of SHAW.

    BAY165-w167B594E3132D885DE5562A84D0@phx.gbl
    X-Originating-IP: [24.70.51.180]

  19. Hello,
    Since posting on this forum about phx.gbl, I have been in communication with Windows Live Support..here is a copy and paste of some of the responses..pls follow this link for the thread
    http://www.windowslivehelp.com/thread.aspx?threadid=d5aa50ec-8dda-482f-86fd-af1f90743d2a&page=1
    Hi rosebrier,

    If you have noticed, this phx.gbl only appears if a sender is a Hotmail/Live/MSN user. Upon researching this is a part of a message ID which is is a unique identifier for a digital message, most commonly a globally unique identifier used in email. Message-IDs are required to have the same format as an email address and to be globally unique.

    Hope this helps.

    Thanks!

    Windows Live Charles L.
    Rate This Moderator

    Windows Live Mark Francis A.
    Hi rosebrier,

    I’d like to inform you that phx.gbl is a feature of old MSN that filters incoming messages but this has been decommissioned already.

    For instructions on how to report abuse or spam in Windows Live Hotmail, please click here.

    Thanks,
    Windows Live Mark Francis A.
    Rate this moderator

  20. Windows Live Joey D.
    Hi rosebrier,

    The phx.gbl is a Microsoft internal domain. We can’t really disclose too much information about this for security reasons.

    About the accounts being used to harass you, you can report them to our abuse team. You need to provide a copy of their abusive email. These accounts will be put on suspension pending investigation and depending on the results, they can be permanently closed.

    This is the only help that we can extend to you as far as finding help from the forum is concern. We can’t track the person behind the accounts for you. What you can do is report this to your local authorities. If the authorities think there’s a need to obtain information from us, then they will have to formally submit some legal documents and everything from there on is an entirely different process which we don’t have access to.

    You can reach our abuse team at abuse@hotmail.com

    Thanks!

    Joey

    Rate this agent.

  21. Don’t you know there are ISP’s or domain redirect services companies that allow you to call your self anything. They supply you with a DNS name that resolves only on their DNS servers. This in effect hides your true location and yes the Gov and everyone else that needs that uses it also. When you use Internet e-mail you put your contacts on some else’s servers and if you read the fine print, “We reserve the right to change these rules whenever we want”. Use a more secure e-mail program like outlook 2007 while it still works. The cloud software just wants your info on a server any one can get who has the bucks. Relax, the Romans did and look what happened to them.

Comments are closed.