MSN offers a range of services, all interwoven. MSN Messenger has hooks that let you access them easily - for example, you don't need to send your password again once you've logged in.
This page was contributed by Andrew Sayers. It is based on information gathered from several threads in the Discussion Forum.
After successfully logging in to MSN Messenger, the MSN servers may send two messages (MSG) over the notification server session. One of them contains the user's Passport profile information. The server will also send a new email notification if the user has a Hotmail account and there are unread e-mails. These messages may be sent before or after the server verifies your initial status, but I have found that it sends the profile before it verifies your initial status, and it sends the email notification (if there is one) afterwards.
The profile message has a MIME content type of text/x-msmsgsprofile. The profile information is displayed as part of the MIME header, and the message has no body. Below is an example of what a profile message might look like.
MSG Hotmail Hotmail 363
MIME-Version: 1.0
Content-Type: text/x-msmsgsprofile; charset=UTF-8
LoginTime: 1016941010
EmailEnabled: 1
MemberIdHigh: 41922
MemberIdLow: -619232012
lang_preference: 1033
preferredEmail: example@passport.com
country: US
PostalCode: 12345
Gender: M
Kid: 0
Age:
sid: 507
kv: 2
MSPAuth: 2AAAAAAAADMoV8ORoz64BVwmjtksIg!kmR!Rj5tBBqEaW9hc4YnPHSOQ$$
Some of these fields are used in connecting to Hotmail, some are informational, some are still unidentified.
LoginTime Unix time you logged in - that is, in seconds since midnight UTC on January 1st, 1970.EmailEnabled Presumably, whether or not you have a working Hotmail inboxMemberIdHigh UnknownMemberIdLow Unknownlang_preference Preferred language numberpreferredEmail Your E-mail addresscountry Two-digit country codePostalCode Your Post-code (or Zip code, in America)Gender Gender (m or f)Kid Whether you're under-age (0 or 1)Age Numerical ageBDayPre UnknownBirthday Numerical birthdayWallet Whether you have an MS Wallet? (0 or 1)Flags Unknownsid sid Number (used by Hotmail)kv kv number (used by Hotmail)MSPAuth Incredibly long string (used by Hotmail)The new email notification message has a MIME content type of text/x-msmsgsinitialemailnotification. The MIME header only has the two basic lines, and the body of the message displays the number of unread messages, and where to download them (I'm not sure how to use the URLs though). Below is an example of what a new email message might look like.
MSG Hotmail Hotmail 223
MIME-Version: 1.0
Content-Type: text/x-msmsgsinitialemailnotification; charset=UTF-8
Inbox-Unread: 21
Folders-Unread: 33
Inbox-URL: /cgi-bin/HoTMaiL
Folders-URL: /cgi-bin/folders
Post-URL: http://www.hotmail.com
The URLs here can be used when logging into Hotmail (see below)
The URL command retrieves URLs relating to the various MSN Services. An example URL command is:
>>> URL 15 INBOX
<<< URL 15 /cgi-bin/HoTMaiL https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1043 2
In this thread, Daniel Winter found the full set of codes.
PROFILE 0x1409 - edit your MSN member directory profileCHGMOB - mobile settings (pager and stuff)PERSON 0x0409 - member services, password, secret question, account infoCHAT 0x0409 - chat roomsINBOX - Hotmail inboxCOMPOSE - compose an emailCOMPOSE someone@hotmail.com - compose an email for someone@hotmail.comFOLDERS - Believed to be the Hotmail's "MSN home" URL.MSN Chat (http://chat.msn.com) is an IRC-like chat program. According to metfan, The official implementation of MSN Chat uses the MSNChat45.ocx ActiveX control.
Not much is known about how MSN Chat works, and Microsoft are happy to keep it that way, as they don't want a network full of bots. A Google search for MSNChat45.ocx turns some interesting MSN-Chat resources, for anyone that's feeling adventurous.
The URL command "CHAT" was first found by Dave Woods.
MSN Mobile (http://mobile.msn.com/) is an e-mail/web/instant-messaging service for mobile phones and PDAs. This was explained by Dave.
In the PRP command, the MBE and MOB values are MSN Messenger's hooks into MSN Mobile. MBE is set to 'Y' if you have set up a mobile device with MSN Mobile, or 'N' otherwise. MOB is set to 'Y' if you let people send MSN messages to your mobile device. If MBE is set to 'N', the MSN Messenger server will set MOB to 'N' as well.
Hotmail (http://www.hotmail.com) is, of course, Microsoft's web-mail system. To access Hotmail without re-entering your password, you must generate a temporary file on your local computer and open the page in a web browser. The page redirects the browser to Hotmail.
This was discussed in the thread Go to Hotmail Inbox. Credit should go to the hard work of the contributors to that forum, and to the authors of GAIM, who worked out how to generate the "cred" field.
An example page is given below. The page you create should contain at least these elements. Please note that the value of the auth field has been cut to prevent horizontal scrolling on this page so is therefore shorter than a true one.
<html> <head> <noscript> <meta http-equiv=Refresh content="0; url=http://www.hotmail.com"> </noscript> </head> <body onload="document.pform.submit(); "> <form name="pform" action="https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033" method="POST"> <input type="hidden" name="mode" value="ttl"> <input type="hidden" name="login" value="chrisshucksmith"> <input type="hidden" name="username" value="chrisshucksmith@hotmail.com"> <input type="hidden" name="sid" value="507"> <input type="hidden" name="kv" value="4"> <input type="hidden" name="id" value="2"> <input type="hidden" name="sl" value="9"> <input type="hidden" name="rru" value="/cgi-bin/HoTMaiL"> <input type="hidden" name="auth" value="4wn8Flsh2DXiHWLalsdfgdssdfgfgsgfG4mzp2Vu2du3I3*cLC8DUP$$"> <input type="hidden" name="creds" value="c1252ecb80b52af6becba4533d12828f"> <input type="hidden" name="svc" value="mail"> <input type="hidden" name="js" value="yes"> </form> </body> </html>
Taking each variable in order...
URL in the meta element derives from the Post-URL in the initial mail notification.action tag in the form element derives from a URL command with an argument of "INBOX", "FOLDERS" or "COMPOSE" (specifially, from the second reply-argument).login is your Hotmail address.sid and kv derive from the sid and kv values in your profile.id derives from the third argument you receive in reply to a URL "INBOX", "FOLDERS", or "COMPOSE" command.sl derives from LoginTime (in your profile) minus the current Unix time. It's generally agreed that "sl" means "session-length". Personally, I suspect it means "salt", but there's no real evidence either way.rru can be any one of Folders-URL, Post-URL, or Compose-URL, from the initial mail notification. If you choose the Compose-URL, you can specify some variables in the e-mail you compose, including "mailto" (which must be set to 1), "subject" and "to". So you can specify something like "/cgi-bin/compose?mailto=1&subject=Hello%20from%20MSNClone&to=buddy%40hotmail%2ecom" to skip straight to a window composing a message to "buddy@hotmail.com" with subject "Hello From MSNClone".auth derives from the MSPAuth value from your profile.creds is the MD5 hash of the concatenated strings MSPAuth + sl + password.