Is this normal ? Mailstore backup going through a 3rd party

Hi, I use mailstore to backup my hotmail using IMAP. This works fine but today outlook blocked access to IMAP saying the activity was suspicious.

What’s happening is that when Mailstore is trying to log into my hotmail account the request is coming from an unknown IP in another country.

Is this normal? Why would the request not be coming from my own IP address and instead coming from someone else in a different country?
Or am I overlooking something obvious !?

Hello,

MailStore connects directly to the configured server, there are no third party servers involved (from MailStore’s perspective).

If you are using tor, a VPN or internet security product they could cause the described symptoms. Outside of that I would recommend revoking all app-specific passwords and setting up a fresh password for MailStore (and any other services, as needed).

Hi David, many thanks for the reply, I’m using a PC with Windows and Mailstore Home and not using anything like a VPN, Tor or anything similar. Mailstore works and updates fine but my mail provider access logs show the IP address that is being used to access the server at the time of archiving is definitely not mine.
Sometimes a US IP, sometimes a Chinese IP.
Are you 100% certain that Mailstore on my pc should be contacting my mail server directly and not going through anything else first?
I can’t see how this could be happening otherwise, I guess I can set it up on a different PC with a fresh install and see if the same thing happens?
Many thanks

@andy1
Sorry to interject but your symptoms are worrisome…

Yes - speaking for @Dave - if I may —He is 100% certain.
Any deviation is problematic.
It means your connection is being intercepted and diverted to the foreign server.
I’m hinting at the fact that you may have been hacked…

Follow his advice and start fresh with a new password for your mail account.
Who is the mail provider? Do they require app-specific passwords?

Yes, you could do that, but if your connection to the mailserver is compromised
you will see the same errant behaviour.
See if your ISP can help you detect the infringement.

Clear all your cookies and history from your browser or scrutinize the entries before you clear.
Do a search for installed malware on your harddrive. Scan with AV- or AntiMalware program.
Exclude your MSH archive .

Good luck.

Peter E.

Thanks Peter, the mail server is outlook, but I also backup mail from an account at apps.rackspace.com and the same thing happens.
I will start fresh with a different pc on a different ISP with new passwords and check everything is fine and if so work backwards from there.
It is strange though, it backs up perfectly but the accessing IP is not mine. I can’t see how it could be being intercepted unless the actual mailstore program has been infected with something, all other traffic from my pc that I can check shows my correct IP.
I only noticed because outlook blocked it saying the IP was suspicious and asking me to confirm.
Many thanks

ah I just found this…

https://answers.microsoft.com/en-us/outlook_com/forum/all/unusual-account-activity-from-ms-ip-addresses/974cc1c1-232f-44a2-b0eb-0f378fd2c801

maybe nothing to worry about then? strange it happens with the apps.rackspace server also

Hi @andy1

Thanks for your previous replies.
Good sleuthing to find the MS answers thread.I didn’t have more time to go further
because had to get some sleep.

Good thing it turns out not to be malicious activity because what I described also happens.
In that case the foreign entity has full access to your mail account.and can do with the information
what it wants.
Fortunately the “hacker” is MS itself haha…

It sure upset a lot of people incl. you.
You shouldn’t get the warning that your actions are suspicious.
MS acts (behaves) like a stealth hacker and then complains about its own actions haha

Let them sort it out, but keep an eye out for updated news about this.

I suspect that the apps rackserver is also connected to MS

Peter E.

Thanks Peter, I hadn’t thought that rackspace could be using the same backbone but that would make sense, I will try to find out !

quick update, rackspace say the 3rd party ip is nothing to do with them and is suspicious activity but I’m not sure they fully understood, it seems too conincidental that it started at the same time as the microsoft issue which we now know is a MS issue. Hmmmm

The mystery IP’s are all in this range…
https://www.ip-tracker.org/lookup/whois.php?query=172.27.255.9
but I don’t really understand what this company does.

all i can think is to set up a fresh rackspace email on a different pc using a different isp and use a different software to access imap and see if the 172.* IP still shows up

Hi @andy1.
Thanks for all your feedback.
I’m not familiar enough with rackspace to add any meaningful comments or advice,
but agree that it does seem too coincidental to be happening at the same time
as the MS issue.
Still, they may not have any relation to that at all.

I’m glad you’re willing to pursue the new angle.
As single users we probably are less likely targets, but even so,
the malevolent actors are open to anything to further their goals
by collecting more info for financial gains.

Good luck with your tests…

Peter E.

Just a little follow up, setting up fresh on different pc’s gets the same result, rackspace have said that IP addresses such as 172.27.255.9 are all private internal local network ip’s (like 192.168.0.1 etc.) so it isn’t of concern because therefore there is not a 3rd party involved. But it seems strange they would log a local network ip because this would make the log meaningless.
This page seems to suggest that range is normally used for internal local private networks…
https://whatismyipaddress.com/private-ip
Hmmmmm !!

Thanks for the follow-up and link.

Not strange in “WINDOWS world”.
WINDOWS logs everything - example MFUs and MRUs - Most Frequently Used and Most Recently Used
Meaningless? - Matter of interpretation…
Just evidence of the logging…
No nefarious implications…

The link was very useful and interesting and provides new links to related concepts.

Peter E.