how-to block ads
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| Update: Windows Messenger Spam
I spent a good amount of time updating my documentation the the blasted Messenger Spam phenom:
myNetWatchman Guide to Messenger SPAM
Psloss was also good enough to update our WinPopUP tester to include the new ports the blasted spammers are jamming these messages to: udp/1026-1029 as a result of udp/135 filtering by most ISPs.
We've also customized the messages that we send to include the port number that the message was sent on, this way you know exactly how this spam is getting through (if it's getting through).
If you know someone grappling with this problem, I hope this helps.
I've also been doing deeper research on this, ironically 90% of the messenger spam I see on my Comcast IP is promoting products to block messenger spam...what I initially though was 10-20 different companies/products really appears to be 3-4 compaines using a wide variety of names (e.g. messagestop.net, messengerbegone.com, destroyads.com, directadstopper.com, messengerdestroyer.com, endads.com, defeatmessenger.com, messagebasher.com, broadcastblocker.com, messengerstopper.com, etc..) to advertise just 3-4 unique products....and many of those seem to corelate back to PO boxes in San Diego, CA...so I suspect the true number of companies may even be smaller.
Enjoy.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch
[text was edited by moderator] | |
B
Premium,MVM
join:2000-10-28
| Thank you Lawrence! At least somebody is paying attention to this issue.
We had a VPN user who was getting Messenger spam right through ZoneAlarm; I thought ZA was malfunctioning, but all remote probe tests (including Gibson's) showed that port 135 was stealthed.
We finally found that port 1026 was being held open by Services and Control App (services.exe). I (rightly it now seems) concluded that spammerscum were sending directly to that port whether or not 135 was open.
First, does Services.exe have that port open for anything BESIDES the messenger service?
Even if it's just the messenger service, in a VPN situation we WANT the messenger service available for network broadcasts.
My solution was to tweak ZoneAlarm (2.x) so that Services.exe does NOT have "server" rights in the Internet zone, but DOES have server rights in the Local zone. The messenger spam was gone.
-- B | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
|  reply to NetWatchMan
Many Thanks, Lawrence! An excellent webpage gets even better....I like it! I have it bookmarked and use it often here to refer for other folks having this problem. Your work (and that of psloss  , both) is much appreciated and can't be said enough.
Thank you 
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum | |
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to NetWatchMan
Thanks Lawrence for the updates. Like you, I've been keeping tabs on the messenger spam epidemic myself. Although my Linux firewall blocks the packets from reaching my Windows boxes, ever since April 1 I started capturing and logging udp/135 packets. In August, when scans starting coming in on 1026, and especially after Comcast blocked 135 in response to Blaster, I've seen a dramatic increase in the number of scans on 1026, 1027, and 1028. Most probes occur on 1026, fewer on 1027 and only a couple on 1028. On occasion a spammer will hit two or three of the ports. Like you, I'm finding the majority of the spam to be peddling anti-messenger solutions from MessengerKiller, EndAds.com, MessengerDestroyer, DefeatMessenger, FightPopups, the list goes on and on. To date I've captured over 2300 spams and cataloged 184 unique messages (obviously, the same messages are being sent over and over). If I break down the spam packets by major category, they break down as follows:
Messenger Blockers: 2159 (90.6%)
Diet/Weight Loss: 119 (5.0%)
Spamming Software: 31 (1.3%)
Porn: 20 (0.8%)
Money/Investing: 16 (0.7%)
Loans: 12 (0.5%)
Drugs: 10 (0.4%)
Other: 15 (0.6%)
Seems ironic that the product advertised by 90% of messenger spam is intended to stop messenger spam. | |
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to B
said by B :
We finally found that port 1026 was being held open by Services and Control App (services.exe). I (rightly it now seems) concluded that spammerscum were sending directly to that port whether or not 135 was open.
First, does Services.exe have that port open for anything BESIDES the messenger service?
Sounds like a Windows 2000 box...
For the most part, only one application will have open a specific TCP or UDP port. So in general if the Messenger service (via the services.exe "shell" on Windows 2000 or svchost.exe on XP and up) has that port open, then no other application would.
Having udp/1026 open does not necessarily indicate that the Messenger service is running; the service could have a different ephemeral port open and (as Lawrence and kpatz noted) that's why the spammers are starting to fire these packets at udp/1026 thru udp/1028.
For this update to our WinPopup tester, we decided to also include udp/1025 and udp/1029 even though we haven't seen much Messenger spam activity on those ports. So for the record, the tester now sends six packets -- one each to UDP ports 135 and 1025-1029, inclusive. At most, though, a computer with the Messenger service running, should only see two popups. Obviously, a packet sniffer would see all of them.
Philip Sloss
--
(Thanks, anonymous!) Feedback? e-mail: stuff@lupwa.org | |
mboy
Premium
join:2001-04-13
Little Falls, NJ
| reply to B
said by B :
Thank you Lawrence! At least somebody is paying attention to this issue.
We had a VPN user who was getting Messenger spam right through ZoneAlarm; I thought ZA was malfunctioning, but all remote probe tests (including Gibson's) showed that port 135 was stealthed.
We finally found that port 1026 was being held open by Services and Control App (services.exe). I (rightly it now seems) concluded that spammerscum were sending directly to that port whether or not 135 was open.
First, does Services.exe have that port open for anything BESIDES the messenger service?
Even if it's just the messenger service, in a VPN situation we WANT the messenger service available for network broadcasts.
My solution was to tweak ZoneAlarm (2.x) so that Services.exe does NOT have "server" rights in the Internet zone, but DOES have server rights in the Local zone. The messenger spam was gone.
-- B
R u allowing Split tunneling when running the VPN? | |
|
