MSN offers a range of services, all interwoven. MSN Messenger has hooks that let you access them easily - for example, you don't need to send your password again once you've logged in.
This page was contributed by Andrew Sayers. It is based on information gathered from several threads in the Discussion Forum.
After successfully logging in to MSN Messenger, the MSN servers may send two messages (
MSG) over the notification server session. One of them contains the user's Passport profile information. The server will also send a new email notification if the user has a Hotmail account and there are unread e-mails. These messages may be sent before or after the server verifies your initial status, but I have found that it sends the profile before it verifies your initial status, and it sends the email notification (if there is one) afterwards.
The profile message has a MIME content type of
text/x-msmsgsprofile. The profile information is displayed as part of the MIME header, and the message has no body. Below is an example of what a profile message might look like.
MSG Hotmail Hotmail 363
Content-Type: text/x-msmsgsprofile; charset=UTF-8
Some of these fields are used in connecting to Hotmail, some are informational, some are still unidentified.
LoginTimeUnix time you logged in - that is, in seconds since midnight UTC on January 1st, 1970.
EmailEnabledPresumably, whether or not you have a working Hotmail inbox
lang_preferencePreferred language number
preferredEmailYour E-mail address
countryTwo-digit country code
PostalCodeYour Post-code (or Zip code, in America)
GenderGender (m or f)
KidWhether you're under-age (0 or 1)
WalletWhether you have an MS Wallet? (0 or 1)
sidsid Number (used by Hotmail)
kvkv number (used by Hotmail)
MSPAuthIncredibly long string (used by Hotmail)
The new email notification message has a MIME content type of
text/x-msmsgsinitialemailnotification. The MIME header only has the two basic lines, and the body of the message displays the number of unread messages, and where to download them (I'm not sure how to use the URLs though). Below is an example of what a new email message might look like.
MSG Hotmail Hotmail 223
Content-Type: text/x-msmsgsinitialemailnotification; charset=UTF-8
The URLs here can be used when logging into Hotmail (see below)
The URL command retrieves URLs relating to the various MSN Services. An example URL command is:
>>> URL 15 INBOX
<<< URL 15 /cgi-bin/HoTMaiL https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1043 2
In this thread, Daniel Winter found the full set of codes.
PROFILE 0x1409- edit your MSN member directory profile
CHGMOB- mobile settings (pager and stuff)
PERSON 0x0409- member services, password, secret question, account info
CHAT 0x0409- chat rooms
INBOX- Hotmail inbox
COMPOSE- compose an email
COMPOSE firstname.lastname@example.org- compose an email for email@example.com
FOLDERS- Believed to be the Hotmail's "MSN home" URL.
MSN Chat (http://chat.msn.com) is an IRC-like chat program. According to metfan, The official implementation of MSN Chat uses the MSNChat45.ocx ActiveX control.
Not much is known about how MSN Chat works, and Microsoft are happy to keep it that way, as they don't want a network full of bots. A Google search for MSNChat45.ocx turns some interesting MSN-Chat resources, for anyone that's feeling adventurous.
The URL command "CHAT" was first found by Dave Woods.
MSN Mobile (http://mobile.msn.com/) is an e-mail/web/instant-messaging service for mobile phones and PDAs. This was explained by Dave.
PRP command, the
MOB values are MSN Messenger's hooks into MSN Mobile.
MBE is set to 'Y' if you have set up a mobile device with MSN Mobile, or 'N' otherwise.
MOB is set to 'Y' if you let people send MSN messages to your mobile device. If
MBE is set to 'N', the MSN Messenger server will set
MOB to 'N' as well.
Hotmail (http://www.hotmail.com) is, of course, Microsoft's web-mail system. To access Hotmail without re-entering your password, you must generate a temporary file on your local computer and open the page in a web browser. The page redirects the browser to Hotmail.
This was discussed in the thread Go to Hotmail Inbox. Credit should go to the hard work of the contributors to that forum, and to the authors of GAIM, who worked out how to generate the "cred" field.
An example page is given below. The page you create should contain at least these elements. Please note that the value of the auth field has been cut to prevent horizontal scrolling on this page so is therefore shorter than a true one.
<html> <head> <noscript> <meta http-equiv=Refresh content="0; url=http://www.hotmail.com"> </noscript> </head> <body onload="document.pform.submit(); "> <form name="pform" action="https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033" method="POST"> <input type="hidden" name="mode" value="ttl"> <input type="hidden" name="login" value="chrisshucksmith"> <input type="hidden" name="username" value="firstname.lastname@example.org"> <input type="hidden" name="sid" value="507"> <input type="hidden" name="kv" value="4"> <input type="hidden" name="id" value="2"> <input type="hidden" name="sl" value="9"> <input type="hidden" name="rru" value="/cgi-bin/HoTMaiL"> <input type="hidden" name="auth" value="4wn8Flsh2DXiHWLalsdfgdssdfgfgsgfG4mzp2Vu2du3I3*cLC8DUP$$"> <input type="hidden" name="creds" value="c1252ecb80b52af6becba4533d12828f"> <input type="hidden" name="svc" value="mail"> <input type="hidden" name="js" value="yes"> </form> </body> </html>
Taking each variable in order...
URLin the meta element derives from the Post-URL in the initial mail notification.
actiontag in the form element derives from a URL command with an argument of "INBOX", "FOLDERS" or "COMPOSE" (specifially, from the second reply-argument).
loginis your Hotmail address.
kvderive from the sid and kv values in your profile.
idderives from the third argument you receive in reply to a URL "INBOX", "FOLDERS", or "COMPOSE" command.
slderives from LoginTime (in your profile) minus the current Unix time. It's generally agreed that "sl" means "session-length". Personally, I suspect it means "salt", but there's no real evidence either way.
rrucan be any one of Folders-URL, Post-URL, or Compose-URL, from the initial mail notification. If you choose the Compose-URL, you can specify some variables in the e-mail you compose, including "mailto" (which must be set to 1), "subject" and "to". So you can specify something like "/cgi-bin/compose?mailto=1&subject=Hello%20from%20MSNClone&to=buddy%40hotmail%2ecom" to skip straight to a window composing a message to "email@example.com" with subject "Hello From MSNClone".
authderives from the MSPAuth value from your profile.
credsis the MD5 hash of the concatenated strings MSPAuth + sl + password.