On Sat, 28 May 2016 11:58:07 -0400, Virus Guy  wrote:

>At $dayjob, we place a file (an .exe file) on our website and direct a
>customer at an ivy-league new-england university to download the file. 
>We put a link to the file in an email and send it to his university
>account.
>
>Our webserver logs indicate the following IP's made requests for the
>.exe file from our server at the times given:
>
>===================
>At 11:37 am:
>
>54.190.125.164 ec2-54-190-125-164.us-west-2.compute.amazonaws.com
>148.251.79.98 static.98.79.251.148.clients.your-server.de
>148.251.79.98 static.98.79.251.148.clients.your-server.de
>54.190.239.12 ec2-54-190-239-12.us-west-2.compute.amazonaws.com
>
>At 11:43 am:
>  
>a.b.c.d  Ivy-League University (we presume this is our customer)  
>====================
>
>We then create a duplicate of the .exe file, but change the extension to
>.gif, and again send a link to the .gif to the customer via email.  We
>then note the following hits to the .gif file:
>
>====================
>12:13 pm:
>  
>54.145.149.186 ec2-54-145-149-186.compute-1.amazonaws.com
>148.251.79.151 static.151.79.251.148.clients.your-server.de
>148.251.79.151 static.151.79.251.148.clients.your-server.de
>54.188.241.212 ec2-54-188-241-212.us-west-2.compute.amazonaws.com
>=====================
>
>Because I've seen those IP's performing what I think are unauthorized
>access to our website in the past, I have them blocked from being able
>to download anything.  So their attempts to download the file in
>question was denied.
>
>Also, either the customer at the University didn't get the second email,
>or didn't act on it (the logs don't show any attempt from an IP at the
>University to download the .gif file).
>
>We then perform a .zip compression on the gif file, and password protect
>the file.  We send an email to the customer describing how to download
>the .zip file but don't actually spell out the URL to the file in the
>email. 
>
>We don't see any attempt to download the .zip file.  Again we don't know
>if the customer got this third email or not, but it appears that by not
>including the exact url in the email the amazon and "your-server.de"
>hosts were not made aware of the existance of this file (and hence made
>no attempt to download it).
>
>The next day we see the following 
>  
>=================
>104.42.198.99 MSFT 15:58
>104.42.198.99 MSFT 16:01
>=================
>
>That IP does not resolve to any host-name, but the IP is assigned to
>Micro$haft.  The request was for the .exe file (and the request was
>denied).
>
>So to me it looks like an email scanning security product is running
>either at the University or on the customer's PC, and this product is
>scanning email messages looking for URL's and is performing a remote
>access of the URL through a remote host(s), in this case machines
>operated by amazon and "your-server.de" (Hetzner Online GmbH).
>
>Does anyone know of such a security product or network security device
>that utilizes distributed access to remote systems hosted by amazon or
>hetzner?
>
>Also, any ideas about the nature of the hit to the file from an MSFT IP?

 It COULD be scanning for malware. I suggest trying an
extension that could not possibly contain malware, and if they attempt
to download that, it's just plain spying/datamining your private
stuff.
 WOW, that would be a surprise !!!
 []'s
-- 
Don't be evil - Google 2004
We have a new policy  - Google 2012
--- NewsGate v1.0 gamma 2