[Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on

Jeff Kell jeff-kell at utc.edu
Sat Jun 21 21:57:26 GMT 2003


Dietmar Goldbeck wrote:
> On Sat, Jun 21, 2003 at 01:14:25PM -0400, Johannes Ullrich wrote:
> 
>>Well, blocking port 1026 is probably not such a great idea. But
>>why would a non-windows user suffer if port 135-139 & 445 is blocked?

This is missing the point.  Messenger is an RPC service.  Previous 
spamming by popups query udp/135 to determine the port number of the 
messenger service, then send the spam packet via udp to the port 
returned by the RPC portmapper.  Typically this port is 1026, but it 
doesn't have to be.

Blocking UDP has to be done connectionless, and Windows starts picking 
ephemeral ports at 1024 upward.  You are bound to get a lot of 
collateral damage (unintended blocking) of legitimate UDP services by 
blindly blocking udp/1026.

Jeff




More information about the list mailing list