Clouded in mist

After doing my monthly round of Windows update today, I did my usual monitoring and stuff and something rather odd caught my eye. MSN Messenger was connected to a dubious looking address of by2msg1104216.phx.gbl:1863. .gbl is not a registered TLD that I know off. Worried at this point about my system security was being compromised and connection being hijacked, I pulled the plug on MSN Messenger.

Curious, I performed a NS lookup but the address couldn’t be resolved. I proceeded with Googling up the domain. The result was scant, with 2 useful articles turning up. This did however qualm my fears, as it appears the domain was tied to MS, but it opened up a whole new level of conspiracy.

The article here (http://artific.com/articles/2005/12/27/a_practically_u/) and some comments mentioned that various blocks of IP address on the 64.4.8.0 and 207.46.0.0 network resolves to the .phx.gbl domain. Another sighting was reported at this site (http://www.zenatode.org.uk/ian/internet/hotmail.xhtml) too. The users there were pretty bewildered by the whole incident too.

Reconnecting to MSN Messenger, this time with both TCPView and Ethereal running, MSN Messenger was observed connecting again, to the dubious looking address of by1msg3275914.phx.gbl. Ethereal revealed the IP from the packet header as 207.46.107.88.

A reverse dns lookup was done on dnsstuff.com (http://www.dnsstuff.com/tools/ptr.ch?ip=207.46.107.88) which confirmed that the IP in question did indeed resolve to by1msg3275914.phx.gbl.

For the less technically inclined, an analogy of the above scenario would be that: A = B but B != A.

No one could fathom why MS would do such a thing, but the bigger question here is, why chose.phx.gbl instead of something more recognizable, and what does phx and gbl actually stand for? I sense an elaborate conspiracy.