republican-creole
site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > Messenger Spam on 1026 - Bad News Kids

Search Topic:
 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
AuthorAll Replies


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
Reviews:
·Shaw

reply to psloss

Re: Messenger Spam on 1026 - Bad News Kids

On XP svchost.exe is a generic host process name for services that run from dynamic-link libraries (DLLs). Typically on a XP system on UDP port 1026 you will see that svchost.exe is running task number 652 (on my system) which using 'tasklist /SVC' (see »support.microsoft.com/default.as···s;314056 for details) you will see that 652 on my XP Pro system contains the Messenger service and some other functionality.

On Win2k Services is somewhat similar to svchost in function but also has the responsibility of running the Messenger Service as shown by TList -s (see »support.microsoft.com/default.as···S;250320 for details). So on my Win2k Advanced server you see that on UDP port 1031 Services.exe is running and under it a number of other applications including an instance of svchost.exe (using Process Explorer from sysinternals).

So the point is nothing is carved in stone about UDP port 1026 and it could be a different port on different systems depending on OS version and configuration (ie what services you have running and even what order they startup in).

To send one hit Message to a Win2k system you need to find out what port the Services.exe is listening on and and on XP what svchost process is running the Messenger Service and what port it is listening on. For most systems this is UDP port 1026.

Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel
to forum · permalink · 2003-09-16 17:16:55 ·

psloss
Premium
join:2002-02-24
Alpharetta, GA

said by Link Logger:
So the point is nothing is carved in stone about UDP port 1026 and it could be a different port on different systems depending on OS version and configuration (ie what services you have running and even what order they startup in).
Agreed...on the subject of what ports we are testing with the WinPopup tester, we added UDP ports 1025-1029 (inclusive). For further additions, we will probably wait until spammers begin widely exploiting ports higher than that existing range. So far, I haven't seen a lot of Messenger service spam activity above UDP port 1027.

Edit: reviewing logs here, I am starting to see some activity from a couple of spammers that send the same packet to UDP 1026, 1027, and 1028 in sequence. That is covered in the current port set we use, but as above, we'll probably monitor the spam activity rather than theoretical possibilities. Put another way: we'll wait for the spammers to send spam on more ports rather than the possible ports that the Messenger service is listening on...

Philip Sloss

[text was edited by author 2003-09-16 17:52:02]
to forum · permalink · 2003-09-16 17:41:06 ·


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
Reviews:
·Shaw

That strategy makes sense.

The question is how far will these spammers go with this as this new method will allow them to really crank up the volumes of spam sent out big time. How much is too much, before someone takes action to limit them or will they have a free license to go as far as they want in terms of bandwidth usage etc?

Blake

to forum · permalink · 2003-09-16 18:01:59 ·

psloss
Premium
join:2002-02-24
Alpharetta, GA

said by Link Logger:
The question is how far will these spammers go with this as this new method will allow them to really crank up the volumes of spam sent out big time. How much is too much, before someone takes action to limit them or will they have a free license to go as far as they want in terms of bandwidth usage etc?
That's a good question, which I can't answer. I can only speculate. Here's a couple of factors that I always think about:

First, it's easier to block. As you noted earlier, it's going to be hard for ISPs to block ephemeral ports; however, end-users can employ a "firewall" (hardware, software, or a combination). Unsolicited UDP packets should be blocked by default by most "firewalls." If Microsoft follows through with their threat to activate XP's Internet Connection Firewall (ICF), that would go some way in discouraging this as a long-term method for bulk advertisers.

On the other hand, it's easy to spoof and therefore harder to trace. Which unfortunately makes it almost a no-risk deal for a spammer.

As with what we are doing in monitoring the destination ports, we are also watching trends in the advertisements themselves and they still seem to be predominantly advertisements for cheap products -- anything that is not free is a rip-off in my opinion -- to disable the Messenger service.

(Aside: I suggest that anyone considering buying one of these "products" instead go get Steve Gibson's free utility, Shoot The Messenger:
»news.grc.com/stm/shootthemessenger.htm)

In other words, the spam is mostly for products to stop the spam. That suggests (doesn't prove) that advertisers are not jumping on the bandwagon. It also may suggest there isn't a bandwagon.

That's my speculation (or some of it),

Philip Sloss
--
(Thanks, anonymous!) Feedback? e-mail: stuff@lupwa.org
to forum · permalink · 2003-09-16 18:40:06 ·
Forums > Broadband Tech > Security > Security

Sunday, 03-Jun 10:52:19 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics