Recently, a client contacted me to share that their web server’s firewall was busy banning IP addresses from port scanners. Sure enough, a quick peek at the server logs show that there were indeed multiple IP bans lately. Most of these were temporary bans as the firewall did not deem these infractions critical enough to be permanent bans. When looking at the notifications, a particular domain in the ban list caught my eye. It was a microsoft.com domain along with an IP address. A WHOIS lookup shows that this IP does indeed belong to the software giant Microsoft Corp, manufacturer of Microsoft Windows and Microsoft Office. The reason for permanently banning this IP was that the IP itself had too been temporarily banned too many times in a certain time frame. So after a few warnings, the server’s firewall permanently banned this Microsoft IP from hitting the client’s web server again.
220.127.116.11 (US/United States/tide544.microsoft.com)
After some more digging around and research, could this be a case where it is a false positive result for port scanning? Since we do not want to hinder any of MSN’s servers, whether it’s Bing.com or MSN search, from crawling our web sites the more important question is actually should I unban this IP address? Anyone else also experience your firewall banning Microsoft IP addresses for port scanning? What would you do?