Support

Admin Tools for WordPress

#41815 MICROSOFT-CORP-MSN-AS-BLOCK

Posted in ‘Admin Tools for WordPress’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

WordPress version
6.7.2
PHP version
8.1.32
Admin Tools version
1.7.0

Latest post by nicholas on Wednesday, 09 April 2025 11:07 CDT

Wednesday, 09 April 2025 04:29 CDT

wicko

I have been seeing a few spikes from IPs that all related to MICROSOFT-CORP-MSN-AS-BLOCK. Can I simply block these IPs or will it prevent users from these locations accessing the site?

Perhaps there is a rule that could be added to block MICROSOFT-CORP-MSN-AS-BLOCK requests and IPs

Here is a list of IPs

1645 72.153.231.16
   1350 13.89.207.52
   1321 135.232.20.12
   1275 72.152.84.30
   1233 13.66.217.126
   1208 72.153.153.1
   1189 13.67.147.148
   1168 135.232.20.45
   1153 72.153.153.17
   1097 40.122.169.71
   1068 74.179.68.27
   1046 13.67.210.112
   1023 74.179.68.0
   1022 13.67.197.140
   1001 13.64.191.60
    991 72.153.231.19
    975 74.179.68.33
    970 40.69.74.135
    928 135.232.20.49
    922 52.137.187.20
    911 20.230.224.3
    900 72.152.84.9
    898 135.232.20.41
    877 172.167.201.151
    873 52.176.2.235

Web design and development in Reading and Oxfordshire UK.

Wicko Web design

Wednesday, 09 April 2025 05:16 CDT

nicholas

Of course you can. Add the following as custom rules to place at the top of the file (you will need to fill in all the IP addresses):

<RequireAll>
Require all granted
Require not ip 72.153.231.16
Require not ip 13.89.207.52
# ... and so on and so forth ...
</RequireAll>

That said, this might completely cock up any links to your site used in emails received by Hotmail / Microsoft 365 email accounts, or used in other Microsoft products, see https://stackoverflow.com/questions/72203761/urls-rewritten-from-microsoft-corp-msn-as-block. Or these IPs might just be malicious Azure VMs so nothing of value is lost. What I am saying is you should monitor the situation after applying these rules.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 09 April 2025 05:46 CDT

wicko

Thank you for the suggestion. We have noticed 3 short spikes all from Microsoft servers. But we have also recently sent out a newsletter mailing which would have also included many Microsoft emails. 

I do see that several email servers have protection and check every link in an email before releasing it. Guess we can't just block these as we would also be blocking a large quantity of links from emails as you mentioned. 

I will check out https://learn.microsoft.com/en-us/defender-office-365/safe-links-about and see if we can fix this by using Microsoft safe urls. 

 

Web design and development in Reading and Oxfordshire UK.

Wicko Web design

Wednesday, 09 April 2025 07:11 CDT

wicko

I have discussed this with Siteground too and they have given me the urls that are affected with these attacks.

Perhaps there is a way to block access for these server to these urls

 

40.69.92.134 www.visiongain.com - [09/Apr/2025:09:01:12 +0000] &quot;GET /wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?ver=2.7.0-wc.9.7.1 HTTP/2.0&quot; 200 3276 &quot;https://www.visiongain.com/report/connected-aircraft-market-2024/?utm_source=Aviation+%26+Defence+Report+Updates&amp;utm_campaign=d93725fee4-AVI+280325+Helicopter_COPY_01&amp;utm_medium=email&amp;utm_term=0_-b2f966643b-324684258&quot; &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36&quot; | TLSv1.3 | - - 0.000 - 0 NC:000000 UP:-DT
40.69.92.134 www.visiongain.com - [09/Apr/2025:09:01:12 +0000] &quot;GET /wp-includes/js/underscore.min.js?ver=1.13.7 HTTP/2.0&quot; 200 7180 &quot;https://www.visiongain.com/report/connected-aircraft-market-2024/?utm_source=Aviation+%26+Defence+Report+Updates&amp;utm_campaign=d93725fee4-AVI+280325+Helicopter_COPY_01&amp;utm_medium=email&amp;utm_term=0_-b2f966643b-324684258&quot; &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36&quot; | TLSv1.3 | - - 0.000 - 0 NC:000000 UP:-DT
40.69.92.134 www.visiongain.com - [09/Apr/2025:09:01:12 +0000] &quot;GET /wp-includes/js/wp-util.min.js?ver=6.7.2 HTTP/2.0&quot; 200 690 &quot;https://www.visiongain.com/report/connected-aircraft-market-2024/?utm_source=Aviation+%26+Defence+Report+Updates&amp;utm_campaign=d93725fee4-AVI+280325+Helicopter_COPY_01&amp;utm_medium=email&amp;utm_term=0_-b2f966643b-324684258&quot; &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36&quot; | TLSv1.3 | - - 0.000 - 0 NC:000000 UP:-DT
72.145.76.10 www.visiongain.com - [09/Apr/2025:09:01:12 +0000] &quot;GET /wp-content/uploads/2018/03/currency-uk.png HTTP/2.0&quot; 200 6583 &quot;https://www.visiongain.com/report/helicopter-market-2025/?utm_source=Aviation+%26+Defence+Report+Updates&amp;utm_campaign=d93725fee4-AVI+280325+Helicopter_COPY_01&amp;utm_medium=email&amp;utm_term=0_-b2f966643b-316228857&quot; &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36&quot; | TLSv1.3 | - - 0.000 - 0 NC:000000 UP:-DT
72.145.76.10 www.visiongain.com - [09/Apr/2025:09:01:12 +0000] &quot;GET /wp-content/uploads/2018/03/currency-us.png HTTP/2.0&quot; 200 4601 &quot;https://www.visiongain.com/report/helicopter-market-2025/?utm_source=Aviation+%26+Defence+Report+Updates&amp;utm_campaign=d93725fee4-AVI+280325+Helicopter_COPY_01&amp;utm_medium=email&amp;utm_term=0_-b2f966643b-316228857&quot; &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36&quot; | TLSv1.3 | - - 0.000 - 0 NC:000000 UP:-DT
72.145.76.10 www.visiongain.com - [09/Apr/2025:09:01:12 +0000] &quot;GET /wp-content/uploads/2018/03/currency-eu.png HTTP/2.0&quot; 200 3703 &quot;https://www.visiongain.com/report/helicopter-market-2025/?utm_source=Aviation+%26+Defence+Report+Updates&amp;utm_campaign=d93725fee4-AVI+280325+Helicopter_COPY_01&amp;utm_medium=email&amp;utm_term=0_-b2f966643b-316228857&quot; &quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36&quot; | TLSv1.3 | - - 0.000 - 0 NC:000000 UP:-DT

Web design and development in Reading and Oxfordshire UK.

Wicko Web design

Wednesday, 09 April 2025 08:03 CDT

nicholas

Well, based on this info the spike in traffic is because of the Safe Links feature. All links in your email are being scanned by Microsoft to assess their legitimacy. This includes all static resources referenced / linked by the pages pointed to by those links.

You can't really deny access to specific files. I mean, you could, but then your link looks like a spam page and your newsletter will end up in the user's Junk folder which you don't want.

The best thing you can do is use something like CloudFlare in front of your site to have it deliver the static content instead of your web server. This will greatly reduce the load on your server: both the most common and the biggest static files will be delivered by CloudFlare's edge servers, with your server only handling the dynamic PHP pages which generate HTML content. This is something we are doing on our own site as well. About a third of our traffic by volume (and two thirds by URL hits) was static content such as CSS and images. We are using CloudFlare to remove that load off our web server, speeding it up substantially in the process.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 09 April 2025 10:51 CDT

wicko

Thank you for your reply and suggestion Nicholas. I will look at implementing Cloudflare. Something I remember Siteground used to recommend but then pulled sites back to their own server. Used Cloudfare in the past and did cause a few issues with ecommerce settings. The free option was ok, I know that siteground offer a CDN for images so not sure it that would help. 

Web design and development in Reading and Oxfordshire UK.

Wicko Web design

Wednesday, 09 April 2025 11:07 CDT

nicholas

I used CloudFlare as an example, mostly because they're the only CDN with a free tier that has no transfer quote. There are plenty of alternatives, including many European ones. I will be implementing BunnyCDN on my blog over the next week or so.

The critical part is to ONLY cache non-PHP content. Having had most experience with CloudFlare, the way to do this is with Page Rules. Once you get that down pat it becomes super easy to scale it on any kind, including e-commerce; I mean, this here site is primarily an e-commerce site, and we're using CloudFlare just fine 🙃

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!