| Source of Win PopUP SPAM - prevention steps I've believe I have figured out the hosts that were used to send the recent
rash of PopUP SPAM...I also found a great article that show how to disable
RPC services:
»www.mynetwatchman.com/kb/securit···pupspam/
enjoy.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
| Does no one care about this??
..thought this was pretty important stuff.
How many people actually received the 'Diploma' popups?
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
 winsyrstrifeRiver City BouncePremium
join:2002-04-30
Brooklyn, NY | I just stumbled across NetWatchMan earlier today. I appreciate this link, although I've never experienced a WinPopUp spam message yet. |
|
| reply to NetWatchMan
I never saw any of those, unsurprisingly, as I'm all firewalled up.
With that said, it's great that someone is actually looking into it. Good job.
--
Mors Principium Est. |
|
 ChrisJTPremium
join:2001-12-20
Torrance, CA | reply to NetWatchMan
My wife have been getting that diploma popup on her computer.
I'm reading the article now...
I'm not too network savvy, so maybe someone could write up a How-To post on disabling this annoying popup. Maybe it's as easy as adding the url to the HOSTS file?
--
You get what you pay for. |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6
| reply to NetWatchMan
Totally disable Messenger. You find it in control panel >
services > Messenger.
If you are on a windows 2000 network, remove NWLink from all computers' network properties.
Make sure you have a good firewall.
»www.techtv.com/screensavers/answ···,00.html
»www.microsoft.com/windows2000/te···wcug.htm
[text was edited by author 2002-10-14 15:51:45] |
|
 guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ
| reply to NetWatchMan
said by NetWatchMan:
Does no one care about this??
..thought this was pretty important stuff.
How many people actually received the 'Diploma' popups?
ROFLMAOASTC! Yes Lawrence. It is pretty important stuff. But, anyone whose switched to anything other than IE or has killed Messenger, hasn't had the problem. I suspect most of the people who post here have done one or the other. 
It's like the "How to" I just posted last night in All Things Unix. It's the instructions on how to initialize iptables for the first time on a Gentoo GNU/Linux system. And nary a peep from anyone.
I even included a nice little iptables script showing how to set up for a ppp connection!
EDIT - made a small boo-boo.
--
My Pictures.
People who describe M$ software as 'mediocre' don't know the half of it.
WinDoze Free 2003
[text was edited by author 2002-10-14 17:22:36] |
|
|
|
| reply to NetWatchMan
I'll bet the people in the SPAM forum might be more interested in this 
But I'm impressed with your work, Lawrence
--
It takes a disaster to make a woman out of a female |
|
 KAD ImagingJust Shoot ItPremium
join:2002-09-21
Hialeah, FL | reply to NetWatchMan
I don't know if either of you guys work in the industry, but typically IT is a "thankless" existence! That's why we have to be "there" for each other support wise. And to that I say.....
GOOD JOB!!
NICE WORK!!
WAY TO GO!!
lol!
--
-The Cobra
"Heh, your broadband style is good grasshopper....but not good enough. Watch my Earthlink style..."
1222K download 218K upload (EL 1.5M/256K) |
|
ChrisJTPremium
join:2001-12-20
Torrance, CA | reply to Name Game
Thanks for the simple How-To!
--
You get what you pay for. |
|
 HutchPremium
join:2000-10-14
australia
 ·Bigpond
 ·Internode
| reply to NetWatchMan
Thanks for the information MyNetWatchMan. I have not encountered this problem yet. I think ASP has been blocking these pop-up for me. But i have taken your information on board. Just in case.
--
Regards JD |
|
 jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:19
·Speakeasy
| reply to NetWatchMan
Sure I'm interested in what you found, Lawrence. I haven't been one of those plagued with the problem, but I have followed the issue here and on other forums. While it doesn't affect me personally, the work you have put into finding what you have is of value to many, even if they haven't found it yet or knew it already. Many things seem to be ignored. They're really not. You are most appreciated.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
 djaThe 'd' is silent ... unlike the member.Premium
join:2002-03-25
Niagara | reply to NetWatchMan
Re: MS 'YapWare' I won't use .NET/MSN/XP or
any other Microsoft 'yapware'
until I am absolutely forced to.
--
the "d" is silent ... unlike the member |
|
jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:19 Reviews:
·Speakeasy
| In a word, agreed, but a huge number of folks do so finding these things and knowing what to do with them is great. There are too many folks who have no idea what is going on and Lawrence really laid it all out for them.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
| Jaykaykay...agreed. Like really "above and beyond".
Way to go Lawrence  I always enjoy reading your investigations here. We appreciate your Watching (and informing) the Hood.
--
It takes a disaster to make a woman out of a female |
|
 JRBloodPremium
join:1999-12-28
Syracuse, NY | reply to NetWatchMan
Re: Source of Win PopUP SPAM - prevention steps I got one attempt today from ev1.net: »www.mynetwatchman.com/LID.asp?IID=9858771
It's rather interesting that it didn't hit any of the other agents I have on my subnet (see below). Makes me wonder if they're generating a "random" IP address list and then sending the packet.
Another interesting one: »www.mynetwatchman.com/LID.asp?IID=10156208
Of the 7 I have in this list, 5 of them are not pingable, but the other two are and as a result got sent the 135 packet. |
|
 culpcDesert Rat
join:2002-04-02
Farmington, NM | reply to NetWatchMan
Thanks for the link!! Those bastards hit me this AM at work; irritates me more than just a little bit! |
|
| reply to NetWatchMan
In a further update on this...I did a IEEE OUI lookup on the MAC addresses...they come back as 'VMWARE'...that makes more sense now...these appear to be Linux boxes running VMWARE (Windows Emulation software).
Also, make sure you check the link I included in my write up:
»www.hsc.fr/ressources/breves/min···.en.html
This is one of the best, step-by-step guides I've seen to shutdown all the nonsense ports that MS opens by default.
If you're actually getting these popups, that means you exposing services that you shouldn't be...and where is your firewall?
Thanks for all the responses...
I'm curious on people's opinion as to if this kind of SPAM could be considered a violation of the law?
Does leaving Messenger enabled and dangling on the Internet give someone the right to jam a popup at it?
Please don't just rant about this (we all hate SPAM), state your case and provide precident.
I have to give them credit, I was thinking about using this technique to notify owners of hacked hosts....
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | I don't think there is anything illegal about this form of spam yet. It's not a fax or email. It doesn't take up space on your harddrive (unlike email) and some argument can be made that if this is spam, then popup ads in general are spam.
What this really is, is another Micro$tinker Security Blunder. ie: Lets add another feature! How secure is it? Well, it'll work every time!
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
jaykaykay4 Ever YoungPremium,MVM
join:2000-04-13
Scottsdale, AZ
kudos:19 Reviews:
·Speakeasy
| reply to NetWatchMan
said by NetWatchMan:
I'm curious on people's opinion as to if this kind of SPAM could be considered a violation of the law?
Does leaving Messenger enabled and dangling on the Internet give someone the right to jam a popup at it?
Please don't just rant about this (we all hate SPAM), state your case and provide precident.
I have to give them credit, I was thinking about using this technique to notify owners of hacked hosts....
What's your description of Spam? Mine is, as copied from »spam.abuse.net/overview/whatisspam.shtml :
Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it.
Using this technique is no different to me than any other method of delivering something to my system without my OK. If they had said that that was what was going to happen be having this tool available and allowed me to decide if I wanted to use it on my system, fine. Since they didn't, it isn't any different than anything else that someone chooses to drop on me without my knowledge.
However, if you were to use a tool of this sort to notify owners of hacked site and did so with their knowledge and permission, then you are not Spamming. You are using a tool for the good of both of you. Big difference.
Plain and simple, if there is such a thing, it is most definitely Spam and by my definition, illegal. I suppose the legal beagles can tear my feelings in shreds on the legal description, but as I am not an attorney, I will not go into the technicalities and will let someone else do so.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature! |
|
