On The Importance of Reverse DNS

Many people on the Internet have experienced strange things with those "xxxxx.phx.gbl"-domains, as part of sender-headers in email.

What some of my friends, my wife and me much more concerns is the fact that chat-messages, using the MSN-messenger protocol run through .phx.gbl domains in realtime, somekind of gateways, we think. It isn't a matter of chatsoftware you'e using (i.e. Miranda or the original MSN-messenger client or some other hybrid-chattools), that's for sure, as well as the fact that those strange things became actual since late 2005. The earliest post I've found about this topic is from November 2005, and I have researched this very, very carefully (google, alltheweb, yahoo, several meta-searchengines) ect..

.PHX.GBL or just .GBL (in this special case) doesn't seem to be a valid top level domain (TLD) (!)

There's just quite a lot of people out there, who are asking questions about it, since a couple of months. I have found some postings that assume .phx.gbl to have something to do with spiders, msn-bots or spam .. (?) Many have tried to trace back .gbl-origins, just got errors and servers, belonging to the .ARPA network as results in between themselves and .phx.gbl

Whatever covers behind those domain(s), having its origin somewhere in the 64.-IP range, I find it should clearly described what this is good for, why it is used, where and when exactly it has been registered.

Is .gbl a short version of "global"?

Who is the owner? MSN or some contractor?

Why doesn't have ANYBODY in the world written longer articles on the Internet about this already, not in german, english, french or spanish? .. As I have mentioned: I checked this out carefully.

If there's no satisfying answers to all this SOON I'm going to set up a whole website about this and write at least 100 articles, starting on the world's largest online newspaper-forums in 4 different languages. Feel free and email me if you found out more.

Greets,
Steven. (May 20, 2005)

Interesting post!! I bumped into when trying to find out what PHX.GBL was. Like the person that commented, I am surprised by the lack of info out there on this.

I'm really getting intrigued by this phx.gbl too. The earliest reference I found on the net is from a posting on http://www.experts-exchange.com/Networking/Q_21482770.html, but that is a paid service so I didn't get to see any answers. As you all found out already the domain seems to be used a lot in references to newsgroup and mailing list articles.

In my web log files the domain sticks out because it has approximately the same number of page accesses as hits, a typical sign of a robot/spider.

I've also seen phx.gbl in message ids of messages sent through hotmail, eg:

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 13 Jul 2006 02:33:47 -0700
Message-ID: <BAY103-F4F8E2BA80472462866982AC6E0@phx.gbl>
Received: from nnn.nnn.nnn.nnn by by103fd.bay103.hotmail.msn.com with HTTP;
	Thu, 13 Jul 2006 09:33:43 GMT

I track visits to my website pages by IP on a page by page basis. A number of phx.gbl IP record views: usually at a rate of one page per second. But the activity doesn't seem to be crawling.No following links, nor visiting new pages as opposed to old.

Glad to know I'm not the only one puzzled by this MS domain weirdness.

hello phoenix dot global hunters, ;)

this is from the access_log of a new domain registered ten days ago:

bl1sch4061111.phx.gbl - - [24/Sep/2006:03:41:40 +0200] "GET /robots.txt HTTP/1.0
" 200 - "-" "msnbot-media/1.0 (+http://search.msn.com/msnbot.htm)"
bl1sch4061111.phx.gbl - - [24/Sep/2006:03:41:41 +0200] "GET / HTTP/1.0" 200 1165
7 "-" "msnbot-media/1.0 (+http://search.msn.com/msnbot.htm)"

..a crawler it is alright, but it does not follow any of the links and this was the only visit so far. about the odd tld, maybe ms corp is trying to introduce a new tld by itself?

what happened to steven's media campaign? i proposed that the issue should be included in wikipedia: http://en.wikipedia.org/wiki/Talk:Alternative_DNS_root

cheers

It looks like Microsoft has been toying with their DNS Resolving :-)



For Example, when I'm logged in to MSN I see this in my netstat:

TCP erwin:4484 by2msg2204912.phx.gbl:1863 ESTABLISHED



When I ask a 'netstat -an' I get this:

TCP 192.168.123.200:4484 207.46.111.86:1863 ESTABLISHED



When I lookup the IP via nslookup I get this:


Name: by2msg2204912.phx.gbl

Address: 207.46.111.86



My question remains; why? Why would Microsoft do this? It also comes back in every Hotmail E-mail header..



Greets,

Erwin

Looks like they're changed now, but I still see phx.gbl in hotmail email headers.
113.8.4.64.in-addr.arpa domain name pointer livebot-64-4-8-113.search.live.com.

I've seen this too - caught MSN Messenger connecting to one of these babies:

$ host 207.46.108.36
Name: by1msg4176104.phx.gbl
Address: 207.46.108.36

$ whois 207.46.108.36

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 207.46.0.0 - 207.46.255.255
CIDR: 207.46.0.0/16
NetName: MICROSOFT-GLOBAL-NET

etc. etc.

I think the reason is to strenght the difficulty to block their addresses in order to control their services like msn messenger.

Here's the line from my netstat...
TCP puter:1413 by2msg2204708.phx.gbl:1863 ESTABLISHED

This occurs whenever I login to MSN Messenger. I also get connected to..

TCP puter:1440 host-65-119-205-137.tvpath.com:http CLOSE_WAIT

Which was causing me some concern because who is tvpath.com. I checked whois.sc and don't understand the connection between tvpath and microsoft messenger but whenever i connected with messenger it wants to connect. so i entered 127.0.0.1 tvpath.com in the host file. see if that prevents it from connecting.

this is quite the ???

Hi, i am looking into the phx.gbl domain too.

Just for reference, http://www.experts-exchange.com/Networking/Q_21482770.html doesn't give any answer. They use to have good answers, but here they ended up asserting it was fake, as there isn't a root record for this domain.

There is very little information about it. Yours is one of the little. Thank you. Worse, there's a lot of junk on searches as it is appearing on mail headers of not-related topic.

One answer suggested on another page was it being a fake TLD used on the internal msn network (thus no resolving from outside). However, i wonder assuming it's right why they chose this domain, instead of another much clearer and shorter like .msn

And if .gbl means global, what does phl stand for? People Hating Love? If using an inexistant TLD, why make it a second level gbl? Might be that they want to create it using the method Microsoft has used for so many standards: do it, then present it as standard ? Would be quite odd...

PS: Please send me the news / that website.

These address are being used Turkish Hackers to hack websites. I have confirmation, even managed to get the root of one of the hacker and now have his msn addy, I am contacting microsoft as we speak, These addresses do not belong to microsoft, Im assuming these script kiddies have there own lil phone system rig, thus the oddball pbx naming convention.

Beware of BodyguarD@msn.com

found on ips

by1msg4082317.phx.gbl:1863
by1msg4276308.phx.gbl.1863

by2msg2132816.phx.gbl:1863
by1msg4082115.phx.gbl:1863
by1msg4276308.phx.gbl:1863

using port 1863 i was able to confrim the tuskish hacker.

He uses a cookie sploit to access php sql driven sites to insert his own admin information, while the table was easy enough to truncate and remake a super admin, hes affected over 40 websites.

Try: http://www.completewhois.com/invalidwhois/index.htm