[Dshield] Re: [Full-Disclosure] Windows Messenger Popup SpamonUDP Port 1026

Rick Klinge rick at famhost.com
Sat Jun 21 22:21:52 GMT 2003


If the ISP's would block all ports, and make people sign an agreement per
port they wanted, then the internet world would have some control.  Business
would save Billions in loss and people could then be accountable for there
actions.  Spammers would seem to disappear.. hackers would be gone.. etc
etc.. but getting the IANA or ISP's to do anything postive, without opening
your wallet and digging deep, is moot.  I believe most US ISP's are blocking
known/unknown ports for their residential customers..

imho,

~Rick

----- Original Message ----- 
From: "morning_wood" <se_cur_ity at hotmail.com>
To: <jullrich at euclidian.com>; "General DShield Discussion List"
<list at dshield.org>
Cc: <full-disclosure at lists.netsys.com>
Sent: Saturday, June 21, 2003 4:02 PM
Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
SpamonUDP Port 1026


> the point being there should be no isp blocking of any ports period.
> Why? For what purpose? I would seek another provider if my ISP
> purposefly blocked ports. Unless a critical mass DDoS was in full
> disruption and temporary measuses taken to prevent further
> amplifiction, were used and full service restored after the threat was
> diminished.
>
> wood
>
> ----- Original Message ----- 
> From: "Johannes Ullrich" <jullrich at euclidian.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Cc: "Joe Stewart" <jstewart at lurhq.com>;
> <full-disclosure at lists.netsys.com>
> Sent: Saturday, June 21, 2003 10:14 AM
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> Spamon UDP Port 1026
>
>
> > Well, blocking port 1026 is probably not such a great idea. But
> > why would a non-windows user suffer if port 135-139 & 445 is
> blocked?
> >
> >
> >
> > On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> > > so all users should suffer an ISP blocking ports just because some
> > > people run windows???? excuse me? Better would be to just disable
> > > windows mesaging service. or issue a patch for it, as opposed to
> > > blocking port traffic.
> > >
> > > wood
> > >
> > > ----- Original Message ----- 
> > > From: "Joe Stewart" <jstewart at lurhq.com>
> > > To: <list at dshield.org>
> > > Cc: <full-disclosure at lists.netsys.com>;
> <intrusions at incidents.org>;
> > > <isc at sans.org>
> > > Sent: Friday, June 20, 2003 7:37 PM
> > > Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP
> Port
> > > 1026
> > >
> > >
> > > > Windows Messenger Popup Spam on UDP Port 1026
> > > >
> > > > URL: http://www.lurhq.com/popup_spam.html
> > > > Release Date: June 20, 2003
> > > > Author: Joe Stewart
> > > >
> > > > LURHQ Corporation has observed traffic to large blocks of IP
> > > addresses
> > > > on UDP port 1026. This traffic started around June 18, 2003 and
> has
> > > > been constant since that time. LURHQ analysts have determined
> that
> > > the
> > > > source of the traffic is spammers who have discovered that the
> > > Windows
> > > > Messenger service listens for connections on port 1026 as well
> as
> > > the
> > > > more widely-known port 135. Windows Messenger has been a target
> for
> > > > spammers since late last year, because it allows anonymous
> pop-up
> > > > messages to be displayed on any Windows system running the
> messenger
> > > > service. Due to widespread abuse, many ISPs have moved to block
> > > > inbound traffic on UDP port 135. It appears the spammers have
> > > adapted,
> > > > so ISPs are urged to block UDP port 1026 inbound as well.
> > > >
> > > > It is possible to disable the messenger service on some
> platforms
> > > > following the instructions below. However, the fact that you can
> > > > receive these messages points to the fact that your computer is
> > > > unsecured and vulnerable to other possible attacks in the
> future.
> > > > Disabling the messenger service will stop the pop-up spam, but
> will
> > > > not protect you in any other way. Home users are encouraged to
> > > install
> > > > personal firewall software to block unauthorized connections to
> > > their
> > > > computers. Users are discourged from purchasing specialized
> Windows
> > > > Messenger popup blocking software as it is often sold by the
> same
> > > > company that is sending the popups.
> > > >
> > > > To disable the Messenger Service, follow the instructions for
> your
> > > > Windows version:
> > > >
> > > > Windows XP Home
> > > >   * Click Start, then click Control Panel.
> > > >   * Double-click Performance and Maintenance.
> > > >   * Double-click Administrative Tools.
> > > >   * Double-click Services.
> > > >   * Scroll down, highlight and right-click on Messenger and
> choose
> > > >     Properties
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows XP Professional
> > > >   * Click Start, then click Control Panel.
> > > >   * Double-click Administrative Tools
> > > >   * Double-click Services
> > > >   * Scroll down, highlight and right-click on Messenger and
> choose
> > > >     Properties
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows 2000/NT
> > > >   * Click Start, go to Settings, then click Control Panel.
> > > >   * Double-click Administrative Tools.
> > > >   * Double-click Service.
> > > >   * Double-click Messenger.
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows 98/ME
> > > > The Windows Messenger Service cannot be disabled
> > > >
> > > > --
> > > >
> > > > About LURHQ Corporation
> > > > LURHQ Corporation is the trusted provider of Managed Security
> > > > Services. Founded in 1996, LURHQ has built a strong business
> > > > protecting the critical information assets of more than 400
> > > customers
> > > > by offering managed intrusion prevention and protection
> services.
> > > > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > > > enhance their security posture while reducing the costs of
> managing
> > > > their security environments. LURHQ's OPEN Service Delivery(TM)
> > > > methodology facilitates a true partnership with customers by
> > > providing
> > > > a real time view of the organization's security status via the
> > > > Sherlock Enterprise Security Portal. For more information visit
> > > > http://www.lurhq.com/
> > > >
> > > > Copyright (c) 2003 LURHQ Corporation. Permission is hereby
> granted
> > > for
> > > > the redistribution of this document electronically. It is not to
> be
> > > > altered or edited in any way without the express written consent
> of
> > > > LURHQ Corporation. If you wish to reprint the whole or any part
> of
> > > > this document in any other medium excluding electronic media,
> please
> > > > e-mail advisories at lurhq.com for permission.
> > > >
> > > > Disclaimer
> > > > The information within this paper may change without notice. Use
> of
> > > > this information constitutes acceptance for use in an AS IS
> > > condition.
> > > > There are NO warranties implied or otherwise with regard to this
> > > > information. In no event shall the author be liable for any
> damages
> > > > whatsoever arising out of or in connection with the use or
> spread of
> > > > this information.
> > > >

___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.




More information about the list mailing list