Scanners

Scanners are the mosquitos of the internet. Annoying, but mostly harmless, athough some may carry pathogens.

Stretchoid

Stretchoid is one of the most prolific scanners on the internet, but also one of the shadiest. Their single-screen website:

"Stretchoid is a platform that helps identify an organization's online services. Sometimes this activity is incorrectly identified by security systems, such as firewalls, as malicious. Our activity is completely harmless."

This is followed by an opt-out form. Thin, very thin. Neal Krawetz mentions them, but the subsequent discussion (last modified in 2024) focuses on stretchoid, including speculations on its origins and purpose. This and a few odd Reddit posts provide much of what is known about them.

Stretchoid is a Microsoft operation, running in its Azure cloud (AS 8075). While whois content is often forged, the record for stretchoid.com is held by MarkMonitor and should be trustworthy.

Domain Name: stretchoid.com
Registry Domain ID: 2027075945_DOMAIN_COM-VRS
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2025-04-07T12:52:48+0000
Creation Date: 2016-05-09T21:35:59+0000
Registrar Registration Expiration Date: 2026-05-09T00:00:00+0000
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2086851750
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Registrant Name: Domain Administrator
Registrant Organization: Microsoft Corporation
Registrant Street: One Microsoft Way,
Registrant City: Redmond
Registrant State/Province: WA
Registrant Postal Code: 98052
Registrant Country: US
Registrant Phone: +1.4258828080
Registrant Phone Ext:
Registrant Fax: +1.4259367329
Registrant Fax Ext:
Registrant Email: domains@microsoft.com
Tech Name: MSN Hostmaster
Tech Phone: +1.4258828080
Tech Email: msnhst@microsoft.com
Name Server: ns1-37.azure-dns.com
Name Server: ns3-37.azure-dns.org
Name Server: ns4-37.azure-dns.info
Name Server: ns2-37.azure-dns.net
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2026-03-08T16:40:33+0000 <<<

We have not seen any statements from Microsoft about this service, much less denials of ownership, but they must take pains to obscure that ownership. Shade works: the fact that Microsoft runs Stretchoid is obscure. One of the commenters in Krawetz's thread makes the claim, but its buried under speculation about 3-letter agencies and other monsters.

Stretchoid seems to do just what it says on the tin: it identifies online services. Of 1588 IPv4 probes from *.stretchoid.com, logged on a public mail server over a bit more than a day, 1392 were TCP SYN packets, 195 small UDP and one TCP RST, all over a broad range of ports. Not the profile of a malicious actor; it really does seem to be a broad but shallow scan of the world's online services. However, Microsoft is another giant corp making money by extracting information from us while being unwilling share that information back with us. Fuck 'em.

The Krawetz thread included a claim that stretchoid was trying to hack a VPN login, but it was not followed up. Another post claimed that stretchoid continued to scan after an opt-out, but escalated the scanning and hacking attacks on his system. The was no follow-up in the thread. Neither of these claims matches my experience but they bear watching.

Stretchoid is hard to locate in IP space. Public organization that run scanners usually publish the addresses that send their probes. Onphe, for example, does so on their front page. Like Stretchoid, they offer an opt-out on that page, but they helpfully suggest that recipients simply block those published addresses if they do not wish to submit the form. (Azure publishes a number of other lists, which I will get to, eventually)

Two actively maintained lists:

• Internet Scanners (note typo in filename) list over 4K entries, but do not describe their methods
• S. Victor contains over 1K entries, based on a search for stretchoid.com in the rDNS

We have used S. Victor's lists for many years, but frequently see scans from unlisted stretchoid.com hosts, perhaps daily. Typically, they would be listed the following day. Looking at the DNS, Microsoft uses hostnames with short TTLs and no reverse for the stretchoid.com domain. The DNS sometimes returns 127.0.0.1 for "hostname".stretchoid.com, for some values of "hostname". It looks very much as if Microsoft rotates a set of host names (now starting with the letters "azp") over a larger range of IP addresses.

To get some notion of that larger range of IPs, we combined OpenFilters' and svictor's lists of IPv4 addresses, generated a list of the /24 networks that contain them, and then aggregated that. Packets from these networks were logged, and all of the data shown here came from that log.

There were probes from 988 unique IPs. 559 of those were NXDOMAIN, while the rest were from named stretchoid.com hosts. No pattern was apparent in the use of named and unnamed hosts: both are used, apparently indiscriminately, to probe. We assume they are all part of stretchoid. S. Victor's rDNS scans would miss many scanners, which may be why Internet Scanners lists are so much larger.

Talosintelligence.com reports on /24s containing these named hosts are usually interesting, Some contain mostly named hosts, but others are a mixture of named and unnamed hosts. Many of the unnamed hosts send significant volumes of mail, many showing a "used every other day" pattern. Drilling down all the way to the containing /21s reveals vast numbers of hosts with no rDNS. Most send significant monthly volumes. I speculate that Microsoft may probe from any IP in those /24s, both named and unnamed, and that they will not use those /24s as normal servers. A weaker speculation is that this extends to networks as large as /21s. Based on the firmer speculation, we now block all traffic from our list of stretchoid /24s (over 263K host IP addresses), and hope to block more.

Can we block stretchoid /24s? Our weaker specuation was incorrect. Microsoft mixes customer servers with the stretchoid servers, even within a single /24.

We generated a list of 1527 /24s that contain the stretchoid hosts listed by OpenFilters and SVictor, then looked up the rDNS on every IP in those /24s. There were 390,912 NXDOMAINs, 2126 named hosts and 4 errors (each error may include one or more failed lookups). Removing duplicates left 1136 hosts with a rDNS. Of these 888 were *.stretchoid.com, 90 were *.turbify.biz, 42 were *.azure.com. Of the remaining 116, 44 had bad FCrDNS records. That left a final list of stretchoid.com, turbify.biz, azure.com and 72 other hosts that our list would block. Blocking stretchoid is, of course, the purpose of this list, but what about the others? We can't recommend using a list like this generally, but we can use it locally if it doesn't affect our mail stream.

Blocked senders include:

• turbify.biz. Talos lists 508 turbify.biz hosts, all apparently within AS 8075, while we found 90 (all of the form cpanelxxx,turbify.com, where xxx is a 3 digit number) in our /24s. Of these, 10 had been active in the previous month, none at high volume. According to cleantalk, at least 2 of these addresses host large numbers of websites. I would not expect to see email to our domains from cpanels at a bulk website host, and am not concerned about losing mail from them.
• azure.com. At least one business, emodal.com, sends considerable mail from their azure.com host. According to Talos, a few of the others sent low volumes, while most sent none in the past month. Microsoft seems willing to put their customers in bad DNS neighborhoods ooccupied by their own poorly received scanners.
• irth.com. An "SaaS platform" for "energy, utility and telecom companies across the U.S. and Canada", whose email system depends heavily on hosts in the Azure cloud that lie cheek-by-jowl with Microsoft scanner bots. None of our clients have exchanged email with irth.com, so blocking them will work for us.
• dcmkt.com. A "shopping" website from a domain that sends more mail than any other IP in our study. The site itself consists of sales-flyer-ytype images with no clickable links. No idea how this works, but very blockable.
• playprospect.com and prospectscrape.com. Mail-in-a-box sites with the generic landing page, which send considerable quantities of mail. Not used by our clients.
• According to Talos, 5 other hosts, belonging to 5 different domains, sent small volumes of mail during the past month, though none sent any in the past day; no other hosts sent mail this month. (the 5 senders this month were: uspod001.chevinfleet.com, mx03.mail1.gosocket.net, prod-cus-01-az3-nat.ghe.com, smtp-us1-01.cpq.cloud.asp, amd smtp.bigfberthahub.info).

The Azure cloud is vast. It is perhaps surprising that Microsoft would put clients in a space with a generally poor reputation. Given they do that, it is perhaps surprising that they do not put more clients there. They could use the space more productively: we're not running out of IPv4, they are just locked up in corporate vaults.

We will continue to block IPs in OpenFilters' and SVictor's lists, We will log and block connections from unlisted IPs in the containing /24s. We have have few of the latter, all from IPs with no rDNS.

Return