Port probe on 6666

["Vachon, Scott" <Scott.Vachon () PAYMENTECH COM>]

I hope this is the right forum for posting this. I had an attempt to connect
to one of my systems last night and I am interested in opinions/insight from
the incidents group.

Information captured:

An attempt was made to connect to port 6666 from the below listed IP
address:

notify-108.iap.bryant.webtv.net  209.240.199.146 on port 6666 UDP port
36063.

I contacted the security folks at WebTV (Microsoft) and received the
following response:

There is a common misunderstanding concerning UDP Port 6666 probes.

When WebTV Clients obtain an IP Address they are registered with that
IP-Address in our system and stay registered until a timeout threshold is
reached or are re-registered with a different IP-Address (whichever comes
first.) If another system (Non-WebTV) obtains this same IP-Address
previously used by a WebTV Client it may receive packets from our notify
service attempting to tell the WebTV client it has mail.

***
Security Analyst
Microsoft


Questions:

1) What is port 6666 (UDP port 36063) used for, if anything ?
2) Since the affected host (non WebTV) is not on the WebTV network, why
would WebTV assume my host had been assigned an IP used formerly by one of
their hosts ?
3) Has anyone else had this same experience from a WebTV host or service ?

Thanks in advance.




Scott Vachon
Network Implementations Engineer
Computer Network Services
Paymentech, Inc.