[Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spamon UDP Port 1026

morning_wood se_cur_ity at hotmail.com
Sat Jun 21 21:02:48 GMT 2003


the point being there should be no isp blocking of any ports period.
Why? For what purpose? I would seek another provider if my ISP
purposefly blocked ports. Unless a critical mass DDoS was in full
disruption and temporary measuses taken to prevent further
amplifiction, were used and full service restored after the threat was
diminished.

wood

----- Original Message ----- 
From: "Johannes Ullrich" <jullrich at euclidian.com>
To: "General DShield Discussion List" <list at dshield.org>
Cc: "Joe Stewart" <jstewart at lurhq.com>;
<full-disclosure at lists.netsys.com>
Sent: Saturday, June 21, 2003 10:14 AM
Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
Spamon UDP Port 1026


> Well, blocking port 1026 is probably not such a great idea. But
> why would a non-windows user suffer if port 135-139 & 445 is
blocked?
>
>
>
> On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> > so all users should suffer an ISP blocking ports just because some
> > people run windows???? excuse me? Better would be to just disable
> > windows mesaging service. or issue a patch for it, as opposed to
> > blocking port traffic.
> >
> > wood
> >
> > ----- Original Message ----- 
> > From: "Joe Stewart" <jstewart at lurhq.com>
> > To: <list at dshield.org>
> > Cc: <full-disclosure at lists.netsys.com>;
<intrusions at incidents.org>;
> > <isc at sans.org>
> > Sent: Friday, June 20, 2003 7:37 PM
> > Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP
Port
> > 1026
> >
> >
> > > Windows Messenger Popup Spam on UDP Port 1026
> > >
> > > URL: http://www.lurhq.com/popup_spam.html
> > > Release Date: June 20, 2003
> > > Author: Joe Stewart
> > >
> > > LURHQ Corporation has observed traffic to large blocks of IP
> > addresses
> > > on UDP port 1026. This traffic started around June 18, 2003 and
has
> > > been constant since that time. LURHQ analysts have determined
that
> > the
> > > source of the traffic is spammers who have discovered that the
> > Windows
> > > Messenger service listens for connections on port 1026 as well
as
> > the
> > > more widely-known port 135. Windows Messenger has been a target
for
> > > spammers since late last year, because it allows anonymous
pop-up
> > > messages to be displayed on any Windows system running the
messenger
> > > service. Due to widespread abuse, many ISPs have moved to block
> > > inbound traffic on UDP port 135. It appears the spammers have
> > adapted,
> > > so ISPs are urged to block UDP port 1026 inbound as well.
> > >
> > > It is possible to disable the messenger service on some
platforms
> > > following the instructions below. However, the fact that you can
> > > receive these messages points to the fact that your computer is
> > > unsecured and vulnerable to other possible attacks in the
future.
> > > Disabling the messenger service will stop the pop-up spam, but
will
> > > not protect you in any other way. Home users are encouraged to
> > install
> > > personal firewall software to block unauthorized connections to
> > their
> > > computers. Users are discourged from purchasing specialized
Windows
> > > Messenger popup blocking software as it is often sold by the
same
> > > company that is sending the popups.
> > >
> > > To disable the Messenger Service, follow the instructions for
your
> > > Windows version:
> > >
> > > Windows XP Home
> > >   * Click Start, then click Control Panel.
> > >   * Double-click Performance and Maintenance.
> > >   * Double-click Administrative Tools.
> > >   * Double-click Services.
> > >   * Scroll down, highlight and right-click on Messenger and
choose
> > >     Properties
> > >   * In the "Startup type" list, choose Disabled.
> > >   * Click Stop, and then click OK.
> > >
> > > Windows XP Professional
> > >   * Click Start, then click Control Panel.
> > >   * Double-click Administrative Tools
> > >   * Double-click Services
> > >   * Scroll down, highlight and right-click on Messenger and
choose
> > >     Properties
> > >   * In the "Startup type" list, choose Disabled.
> > >   * Click Stop, and then click OK.
> > >
> > > Windows 2000/NT
> > >   * Click Start, go to Settings, then click Control Panel.
> > >   * Double-click Administrative Tools.
> > >   * Double-click Service.
> > >   * Double-click Messenger.
> > >   * In the "Startup type" list, choose Disabled.
> > >   * Click Stop, and then click OK.
> > >
> > > Windows 98/ME
> > > The Windows Messenger Service cannot be disabled
> > >
> > > --
> > >
> > > About LURHQ Corporation
> > > LURHQ Corporation is the trusted provider of Managed Security
> > > Services. Founded in 1996, LURHQ has built a strong business
> > > protecting the critical information assets of more than 400
> > customers
> > > by offering managed intrusion prevention and protection
services.
> > > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > > enhance their security posture while reducing the costs of
managing
> > > their security environments. LURHQ's OPEN Service Delivery(TM)
> > > methodology facilitates a true partnership with customers by
> > providing
> > > a real time view of the organization's security status via the
> > > Sherlock Enterprise Security Portal. For more information visit
> > > http://www.lurhq.com/
> > >
> > > Copyright (c) 2003 LURHQ Corporation. Permission is hereby
granted
> > for
> > > the redistribution of this document electronically. It is not to
be
> > > altered or edited in any way without the express written consent
of
> > > LURHQ Corporation. If you wish to reprint the whole or any part
of
> > > this document in any other medium excluding electronic media,
please
> > > e-mail advisories at lurhq.com for permission.
> > >
> > > Disclaimer
> > > The information within this paper may change without notice. Use
of
> > > this information constitutes acceptance for use in an AS IS
> > condition.
> > > There are NO warranties implied or otherwise with regard to this
> > > information. In no event shall the author be liable for any
damages
> > > whatsoever arising out of or in connection with the use or
spread of
> > > this information.
> > >
> > > Feedback
> > > Updates and/or comments to:
> > > LURHQ Corporation
> > > http://www.lurhq.com/
> > > advisories at lurhq.com
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> > _______________________________________________
> > list mailing list
> > list at dshield.org
> > To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>




More information about the list mailing list