[Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on
jeff-kell at utc.edu
Sat Jun 21 21:57:26 GMT 2003
Dietmar Goldbeck wrote:
> On Sat, Jun 21, 2003 at 01:14:25PM -0400, Johannes Ullrich wrote:
>>Well, blocking port 1026 is probably not such a great idea. But
>>why would a non-windows user suffer if port 135-139 & 445 is blocked?
This is missing the point. Messenger is an RPC service. Previous
spamming by popups query udp/135 to determine the port number of the
messenger service, then send the spam packet via udp to the port
returned by the RPC portmapper. Typically this port is 1026, but it
doesn't have to be.
Blocking UDP has to be done connectionless, and Windows starts picking
ephemeral ports at 1024 upward. You are bound to get a lot of
collateral damage (unintended blocking) of legitimate UDP services by
blindly blocking udp/1026.
More information about the list