LAST UPDATED: 2022-06-27
This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft HTTP sinkhole servers. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.
Since a sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list. However, the sinkholes may also pick up web crawlers requesting malicious domains.
Report format is the same as the Sinkhole HTTP Events Report.
You can learn more on the report in our Sinkhole HTTP Events Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
File names: event4_microsoft_sinkhole_http.