The first step of connecting is to connect to the dispatch server. Open a TCP socket and connect to
1863. When the connection is established, send the
VER command, with
MSNP7 MSNP6 MSNP5 MSNP4 CVR0 (the latest protocol version) as the parameter. Alternatively, use
MSNP2 to identify as using the original protocol (avoids challenges).
When a response from the server is received, if the first term of the parameter (not the transaction ID) is not a 0, then the protocol version has been approved. Next, send
INF with no parameter to request the authentication protocol from the server.
Hopefully, the server will respond with a
INF command with a parameter of
MD5. If the server sends some other parameter, something is wrong. Reply to this with the
USR command with
MD5 I user@host as the parameter, where
user@host is the Passport of the user logging in.
The server should respond with
XFR with the parameter
NS W.X.Y.Z:1863 0 A.B.C.D:1863, where
W.X.Y.Z:1863 is the IP address and port (usually 1863) of the specified notification server and
A.B.C.D:1863 is the IP address and port of the current server. Close the current connection to the dispatch server and open a new connection to the specified notifcation server.
Below is an example of a conversation between a client and a dispatch server.
<o> Connect: messenger.hotmail.com 1863
>>> VER 0 MSNP7 MSNP6 MSNP5 MSNP4 CVR0
<<< VER 0 MSNP7 MSNP6 MSNP5 MSNP4 CVR0
>>> INF 1
<<< INF 1 MD5
>>> USR 2 MD5 I firstname.lastname@example.org
<<< XFR 2 NS 220.127.116.11:1863 0 18.104.22.168:1863
<o> Client Disconnects
Connecting to the notification server works exactly the same way as connecting to the dispatch server for the first three steps (everything before the server responds with
XFR). When the server receives the user's Passport from
USR, it will either reply with an
XFR (if the server is overloaded) or another
MD5 S #.#, where
#.# is an MD5 hash.
In order to successfully login, a client must support MD5. Respond to this command with another
USR with the parameter
MD5 S *, where
* is the lowercase hexadecimal digest of the MD5 hash received from the server concatenated with the user's login password. Using MD5 ensures that the password is never sent as plaintext.
The notification server should respond to this with
USR with a parameter of
OK user@host NAME 1, where
user@host is the user's Passport, and
NAME is the user's screen name (URL quoted of course). The
1 represents the fact that the user's Passport account has been verified (via replying to an email). Otherwise, it will be a
0. Note that hotmail.com accounts are automatically verified upon signing up. If the login fails, the server will reply with error code
After the login is successful, send
CHG with a three letter status code as the parameter. This will set the initial status, and is the final step of logging in. The server should echo your status message back to verify that your status has been set. The official MSN client always logs in with the status code
NLN, but the servers allow for any of the 9 statuses. When logging in as
FLN, syncing contact lists is the only activity allowed. When logging in as
HDN, a client can do anything except for connecting to the switchboard (although it used to be allowed).
Below is an example of a conversation between a client and a notification server.
<o> Connect: 22.214.171.124 1863
>>> VER 3 MSNP7 MSNP6 MSNP5 MSNP4 CVR0
<<< VER 3 MSNP7 MSNP6 MSNP5 MSNP4 CVR0
>>> INF 4
<<< INF 4 MD5
>>> USR 5 MD5 I email@example.com
<<< USR 5 MD5 S 1013928519.693957190
>>> USR 6 MD5 S 23e54a439a6a17d15025f4c6cbd0f6b5
<<< USR 6 OK firstname.lastname@example.org My%20Screen%20Name 1
>>> CHG 7 NLN
<<< CHG 7 NLN
<o> Continue Session . . .
After successfully logging in, the MSN servers may send two messages (
MSG) over the notification server session. One of them contains the user's Passport profile information. I'm not really sure what the point of it is. The server will also send a new email notification if the user is using a Hotmail account and there are unread emails. These messages may be sent before or after the server verifies your initial status, but I have found that it sends the profile before it verifies your initial status, and it sends the email notification (if there is one) afterwards.
The profile message has a MIME content type of
text/x-msmsgsprofile. The profile information is displayed as part of the MIME header, and the message has no body. Below is an example of what a profile message might look like.
If your client is behind a NAT firewall (where the actual IP address of the client is hidden), the server will send back two more fields:
ClientPort, which are the IP and port the server thinks you're on.
MSG Hotmail Hotmail 363
Content-Type: text/x-msmsgsprofile; charset=UTF-8
The new email notification message has a MIME content type of
text/x-msmsgsinitialemailnotification;. The MIME header only has the two basic lines, and the body of the message displays the number of unread messages, and where to download them (I'm not sure how to use the URLs though). Below is an example of what a new email message might look like.
MSG Hotmail Hotmail 223
Content-Type: text/x-msmsgsinitialemailnotification; charset=UTF-8
Besides the two initial messages that are received when logging in, the server can also send other types of messages during the session. I have found two of these so far:
text/x-msmsgsactivemailnotification. The first one notifies you when a new email has been received. The second notifies you when an email has been deleted (or maybe something else also). Below is an example of a new email being received.
MSG Hotmail Hotmail 340
Content-Type: text/x-msmsgsemailnotification; charset=UTF-8
From: Mike Mintz
Below is an example of when I erase a message in my inbox.
MSG Hotmail Hotmail 145
Content-Type: text/x-msmsgsactivemailnotification; charset=UTF-8
In addition to profile and new email messages, the server should send you the initial statuses of users on your contact list after successfully logging in. These commands use the command name
ILN, and use the transaction ID of your initial status command (
CHG). This command has 3 parameters: three letter status code, passport id, and URL quoted screen name. Below are some examples.
<<< ILN 7 AWY email@example.com Mike
<<< ILN 7 NLN firstname.lastname@example.org Name_123
<<< ILN 7 BSY email@example.com My%20Name
After logging in, a client will usually sync its contact list. This will be explained in the session section.