April 23-27, 2002 - Version 1 - Draft 2

MSN Instant Messenger Protocol

Overview Basics Connecting Session Messaging File Transfer Other FAQ Research
This page is not officially part of the original documentation, but is only here because I forgot to remove the link to it when updating some PHP scripts.

Other MSN Services

MSN offers a range of services, all interwoven. MSN Messenger has hooks that let you access them easily - for example, you don't need to send your password again once you've logged in.

This page was contributed by Andrew Sayers. It is based on information gathered from several threads in the Discussion Forum.

Initial Messages

After successfully logging in to MSN Messenger, the MSN servers may send two messages (MSG) over the notification server session. One of them contains the user's Passport profile information. The server will also send a new email notification if the user has a Hotmail account and there are unread e-mails. These messages may be sent before or after the server verifies your initial status, but I have found that it sends the profile before it verifies your initial status, and it sends the email notification (if there is one) afterwards.

The profile message has a MIME content type of text/x-msmsgsprofile. The profile information is displayed as part of the MIME header, and the message has no body. Below is an example of what a profile message might look like.

MSG Hotmail Hotmail 363
MIME-Version: 1.0
Content-Type: text/x-msmsgsprofile; charset=UTF-8
LoginTime: 1016941010
EmailEnabled: 1
MemberIdHigh: 41922
MemberIdLow: -619232012
lang_preference: 1033
preferredEmail: example@passport.com
country: US
PostalCode: 12345
Gender: M
Kid: 0
sid: 507
kv: 2
MSPAuth: 2AAAAAAAADMoV8ORoz64BVwmjtksIg!kmR!Rj5tBBqEaW9hc4YnPHSOQ$$

Some of these fields are used in connecting to Hotmail, some are informational, some are still unidentified.

The new email notification message has a MIME content type of text/x-msmsgsinitialemailnotification. The MIME header only has the two basic lines, and the body of the message displays the number of unread messages, and where to download them (I'm not sure how to use the URLs though). Below is an example of what a new email message might look like.

MSG Hotmail Hotmail 223
MIME-Version: 1.0
Content-Type: text/x-msmsgsinitialemailnotification; charset=UTF-8

Inbox-Unread: 21
Folders-Unread: 33
Inbox-URL: /cgi-bin/HoTMaiL
Folders-URL: /cgi-bin/folders
Post-URL: http://www.hotmail.com

The URLs here can be used when logging into Hotmail (see below)

Other Service URLs

The URL command retrieves URLs relating to the various MSN Services. An example URL command is:

>>> URL 15 INBOX

<<< URL 15 /cgi-bin/HoTMaiL https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1043 2

In this thread, Daniel Winter found the full set of codes.

MSN Chat

MSN Chat (http://chat.msn.com) is an IRC-like chat program. According to metfan, The official implementation of MSN Chat uses the MSNChat45.ocx ActiveX control.

Not much is known about how MSN Chat works, and Microsoft are happy to keep it that way, as they don't want a network full of bots. A Google search for MSNChat45.ocx turns some interesting MSN-Chat resources, for anyone that's feeling adventurous.

The URL command "CHAT" was first found by Dave Woods.

MSN Mobile

MSN Mobile (http://mobile.msn.com/) is an e-mail/web/instant-messaging service for mobile phones and PDAs. This was explained by Dave.

In the PRP command, the MBE and MOB values are MSN Messenger's hooks into MSN Mobile. MBE is set to 'Y' if you have set up a mobile device with MSN Mobile, or 'N' otherwise. MOB is set to 'Y' if you let people send MSN messages to your mobile device. If MBE is set to 'N', the MSN Messenger server will set MOB to 'N' as well.


Hotmail (http://www.hotmail.com) is, of course, Microsoft's web-mail system. To access Hotmail without re-entering your password, you must generate a temporary file on your local computer and open the page in a web browser. The page redirects the browser to Hotmail.

This was discussed in the thread Go to Hotmail Inbox. Credit should go to the hard work of the contributors to that forum, and to the authors of GAIM, who worked out how to generate the "cred" field.

An example page is given below. The page you create should contain at least these elements. Please note that the value of the auth field has been cut to prevent horizontal scrolling on this page so is therefore shorter than a true one.

   <meta http-equiv=Refresh content="0; url=http://www.hotmail.com">

 <body onload="document.pform.submit(); ">
  <form name="pform" action="https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033" method="POST">
   <input type="hidden" name="mode" value="ttl">
   <input type="hidden" name="login" value="chrisshucksmith">
   <input type="hidden" name="username" value="chrisshucksmith@hotmail.com">
   <input type="hidden" name="sid" value="507">

   <input type="hidden" name="kv" value="4">
   <input type="hidden" name="id" value="2">
   <input type="hidden" name="sl" value="9">
   <input type="hidden" name="rru" value="/cgi-bin/HoTMaiL">
   <input type="hidden" name="auth" value="4wn8Flsh2DXiHWLalsdfgdssdfgfgsgfG4mzp2Vu2du3I3*cLC8DUP$$">
   <input type="hidden" name="creds" value="c1252ecb80b52af6becba4533d12828f">

   <input type="hidden" name="svc" value="mail">
   <input type="hidden" name="js" value="yes">

Taking each variable in order...

Andrew Sayers

Copyright ©2002-2003 to Mike Mintz.