Re: Messenger Spam on 1026 - Bad News Kids - Security

Author	All Replies
psloss Premium join:2002-02-24 Alpharetta, GA	reply to Link Logger Re: Messenger Spam on 1026 - Bad News Kids said by Link Logger: So the point is nothing is carved in stone about UDP port 1026 and it could be a different port on different systems depending on OS version and configuration (ie what services you have running and even what order they startup in). Agreed...on the subject of what ports we are testing with the WinPopup tester, we added UDP ports 1025-1029 (inclusive). For further additions, we will probably wait until spammers begin widely exploiting ports higher than that existing range. So far, I haven't seen a lot of Messenger service spam activity above UDP port 1027. Edit: reviewing logs here, I am starting to see some activity from a couple of spammers that send the same packet to UDP 1026, 1027, and 1028 in sequence. That is covered in the current port set we use, but as above, we'll probably monitor the spam activity rather than theoretical possibilities. Put another way: we'll wait for the spammers to send spam on more ports rather than the possible ports that the Messenger service is listening on... Philip Sloss [text was edited by author 2003-09-16 17:52:02]
	to forum · permalink · 2003-09-16 17:41:06 ·

Link Logger Premium,MVM join:2001-03-29 Calgary, AB kudos:3 Reviews: ·Shaw	That strategy makes sense. The question is how far will these spammers go with this as this new method will allow them to really crank up the volumes of spam sent out big time. How much is too much, before someone takes action to limit them or will they have a free license to go as far as they want in terms of bandwidth usage etc? Blake
	to forum · permalink · 2003-09-16 18:01:59 ·
psloss Premium join:2002-02-24 Alpharetta, GA	said by Link Logger: The question is how far will these spammers go with this as this new method will allow them to really crank up the volumes of spam sent out big time. How much is too much, before someone takes action to limit them or will they have a free license to go as far as they want in terms of bandwidth usage etc? That's a good question, which I can't answer. I can only speculate. Here's a couple of factors that I always think about: First, it's easier to block. As you noted earlier, it's going to be hard for ISPs to block ephemeral ports; however, end-users can employ a "firewall" (hardware, software, or a combination). Unsolicited UDP packets should be blocked by default by most "firewalls." If Microsoft follows through with their threat to activate XP's Internet Connection Firewall (ICF), that would go some way in discouraging this as a long-term method for bulk advertisers. On the other hand, it's easy to spoof and therefore harder to trace. Which unfortunately makes it almost a no-risk deal for a spammer. As with what we are doing in monitoring the destination ports, we are also watching trends in the advertisements themselves and they still seem to be predominantly advertisements for cheap products -- anything that is not free is a rip-off in my opinion -- to disable the Messenger service. (Aside: I suggest that anyone considering buying one of these "products" instead go get Steve Gibson's free utility, Shoot The Messenger: »news.grc.com/stm/shootthemessenger.htm) In other words, the spam is mostly for products to stop the spam. That suggests (doesn't prove) that advertisers are not jumping on the bandwagon. It also may suggest there isn't a bandwagon. That's my speculation (or some of it), Philip Sloss -- (Thanks, anonymous!) Feedback? e-mail: stuff@lupwa.org
	to forum · permalink · 2003-09-16 18:40:06 ·

Broadband Tech > Security > Security > Messenger Spam on 1026 - Bad News Kids

Re: Messenger Spam on 1026 - Bad News Kids