All of my domains are run through my Google Apps account. It's the only account I use, really.
I do have a my.name@outlook.com. account (I snatched it early in case I wanted to have a more "professional" non-Google email address).
I have been picking up email from this account into my Google account using POP3 for a few years.
On Friday, I got two notifications from Outlook.com saying
Microsoft account
Unusual sign-in activity
We've detected something unusual about a recent sign-in to the Microsoft account ga*****@outlook.com. To help keep you safe, we've required an extra security challenge.
Sign-in details:
Country/region: Unknown
IP address: 25.169.153.146
Date: 18/11/2016 02:02 (GMT)
If this was you, then you can safely ignore this email.
If you aren't sure whether this was you, a malicious user might have your password. Please review your recent activity and we'll help you take corrective action.
I looked up that IP address. According to CentralOps, that address belongs to the MOD!
Code: Select all
Queried whois.ripe.net with "-B 25.169.153.146"...
% Information related to '25.0.0.0 - 25.255.255.255'
% Abuse contact for '25.0.0.0 - 25.255.255.255' is 'hostmaster@mod.uk'
inetnum: 25.0.0.0 - 25.255.255.255
netname: UK-MOD-19850128
country: GB
org: ORG-DMoD1-RIPE
admin-c: MN1891-RIPE
tech-c: MN1891-RIPE
status: LEGACY
notify: hostmaster@mod.uk
mnt-by: UK-MOD-MNT
mnt-domains: UK-MOD-MNT
mnt-routes: UK-MOD-MNT
mnt-by: RIPE-NCC-LEGACY-MNT
created: 2005-08-23T10:27:23Z
last-modified: 2016-04-14T09:56:26Z
source: RIPE
organisation: ORG-DMoD1-RIPE
org-name: UK Ministry of Defence
org-type: LIR
address: Not Published
address: Not Published
address: Not Published
address: UNITED KINGDOM
phone: +44(0)3067700816
e-mail: mathew.newton643@mod.gov.uk
admin-c: MN1891-RIPE
abuse-c: MH12763-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: UK-MOD-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: UK-MOD-MNT
created: 2004-04-17T12:18:23Z
last-modified: 2016-10-06T11:09:40Z
source: RIPE
I did a bit more digging (after shitting myself and changing the account password and setting up 2-factor authentication!).
That IP address is the one that is connecting to Outlook.com when Google checks for new mail. I confirmed by removing the account from Google, waiting a bit, then connecting it back up and checking the account activity.
Am I being paranoid to think that someone (Google?) is running their service through someone like GCHQ? Have I been reading too many Snowden articles?
WTF is going on?