[Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam onUDP Port 1026

MacKinnon, Andrew amackinnon at ibc.ca
Mon Jun 23 11:32:00 GMT 2003


So some freaks rape little girls and dudes.....Lets lock every man alive up
for eternity!!!!

GIVE ME A BREAK!!!!!

> -----Original Message-----
> From:	Rick Klinge [SMTP:rick at famhost.com]
> Sent:	Saturday, June 21, 2003 6:22 PM
> To:	General DShield Discussion List
> Subject:	Re: [Dshield]  Re: [Full-Disclosure] Windows Messenger Popup
> SpamonUDP Port 1026
> 
> If the ISP's would block all ports, and make people sign an agreement per
> port they wanted, then the internet world would have some control.
> Business
> would save Billions in loss and people could then be accountable for there
> actions.  Spammers would seem to disappear.. hackers would be gone.. etc
> etc.. but getting the IANA or ISP's to do anything postive, without
> opening
> your wallet and digging deep, is moot.  I believe most US ISP's are
> blocking
> known/unknown ports for their residential customers..
> 
> imho,
> 
> ~Rick
> 
> ----- Original Message ----- 
> From: "morning_wood" <se_cur_ity at hotmail.com>
> To: <jullrich at euclidian.com>; "General DShield Discussion List"
> <list at dshield.org>
> Cc: <full-disclosure at lists.netsys.com>
> Sent: Saturday, June 21, 2003 4:02 PM
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> SpamonUDP Port 1026
> 
> 
> > the point being there should be no isp blocking of any ports period.
> > Why? For what purpose? I would seek another provider if my ISP
> > purposefly blocked ports. Unless a critical mass DDoS was in full
> > disruption and temporary measuses taken to prevent further
> > amplifiction, were used and full service restored after the threat was
> > diminished.
> >
> > wood
> >
> > ----- Original Message ----- 
> > From: "Johannes Ullrich" <jullrich at euclidian.com>
> > To: "General DShield Discussion List" <list at dshield.org>
> > Cc: "Joe Stewart" <jstewart at lurhq.com>;
> > <full-disclosure at lists.netsys.com>
> > Sent: Saturday, June 21, 2003 10:14 AM
> > Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> > Spamon UDP Port 1026
> >
> >
> > > Well, blocking port 1026 is probably not such a great idea. But
> > > why would a non-windows user suffer if port 135-139 & 445 is
> > blocked?
> > >
> > >
> > >
> > > On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> > > > so all users should suffer an ISP blocking ports just because some
> > > > people run windows???? excuse me? Better would be to just disable
> > > > windows mesaging service. or issue a patch for it, as opposed to
> > > > blocking port traffic.
> > > >
> > > > wood
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Joe Stewart" <jstewart at lurhq.com>
> > > > To: <list at dshield.org>
> > > > Cc: <full-disclosure at lists.netsys.com>;
> > <intrusions at incidents.org>;
> > > > <isc at sans.org>
> > > > Sent: Friday, June 20, 2003 7:37 PM
> > > > Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP
> > Port
> > > > 1026
> > > >
> > > >
> > > > > Windows Messenger Popup Spam on UDP Port 1026
> > > > >
> > > > > URL: http://www.lurhq.com/popup_spam.html
> > > > > Release Date: June 20, 2003
> > > > > Author: Joe Stewart
> > > > >
> > > > > LURHQ Corporation has observed traffic to large blocks of IP
> > > > addresses
> > > > > on UDP port 1026. This traffic started around June 18, 2003 and
> > has
> > > > > been constant since that time. LURHQ analysts have determined
> > that
> > > > the
> > > > > source of the traffic is spammers who have discovered that the
> > > > Windows
> > > > > Messenger service listens for connections on port 1026 as well
> > as
> > > > the
> > > > > more widely-known port 135. Windows Messenger has been a target
> > for
> > > > > spammers since late last year, because it allows anonymous
> > pop-up
> > > > > messages to be displayed on any Windows system running the
> > messenger
> > > > > service. Due to widespread abuse, many ISPs have moved to block
> > > > > inbound traffic on UDP port 135. It appears the spammers have
> > > > adapted,
> > > > > so ISPs are urged to block UDP port 1026 inbound as well.
> > > > >
> > > > > It is possible to disable the messenger service on some
> > platforms
> > > > > following the instructions below. However, the fact that you can
> > > > > receive these messages points to the fact that your computer is
> > > > > unsecured and vulnerable to other possible attacks in the
> > future.
> > > > > Disabling the messenger service will stop the pop-up spam, but
> > will
> > > > > not protect you in any other way. Home users are encouraged to
> > > > install
> > > > > personal firewall software to block unauthorized connections to
> > > > their
> > > > > computers. Users are discourged from purchasing specialized
> > Windows
> > > > > Messenger popup blocking software as it is often sold by the
> > same
> > > > > company that is sending the popups.
> > > > >
> > > > > To disable the Messenger Service, follow the instructions for
> > your
> > > > > Windows version:
> > > > >
> > > > > Windows XP Home
> > > > >   * Click Start, then click Control Panel.
> > > > >   * Double-click Performance and Maintenance.
> > > > >   * Double-click Administrative Tools.
> > > > >   * Double-click Services.
> > > > >   * Scroll down, highlight and right-click on Messenger and
> > choose
> > > > >     Properties
> > > > >   * In the "Startup type" list, choose Disabled.
> > > > >   * Click Stop, and then click OK.
> > > > >
> > > > > Windows XP Professional
> > > > >   * Click Start, then click Control Panel.
> > > > >   * Double-click Administrative Tools
> > > > >   * Double-click Services
> > > > >   * Scroll down, highlight and right-click on Messenger and
> > choose
> > > > >     Properties
> > > > >   * In the "Startup type" list, choose Disabled.
> > > > >   * Click Stop, and then click OK.
> > > > >
> > > > > Windows 2000/NT
> > > > >   * Click Start, go to Settings, then click Control Panel.
> > > > >   * Double-click Administrative Tools.
> > > > >   * Double-click Service.
> > > > >   * Double-click Messenger.
> > > > >   * In the "Startup type" list, choose Disabled.
> > > > >   * Click Stop, and then click OK.
> > > > >
> > > > > Windows 98/ME
> > > > > The Windows Messenger Service cannot be disabled
> > > > >
> > > > > --
> > > > >
> > > > > About LURHQ Corporation
> > > > > LURHQ Corporation is the trusted provider of Managed Security
> > > > > Services. Founded in 1996, LURHQ has built a strong business
> > > > > protecting the critical information assets of more than 400
> > > > customers
> > > > > by offering managed intrusion prevention and protection
> > services.
> > > > > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > > > > enhance their security posture while reducing the costs of
> > managing
> > > > > their security environments. LURHQ's OPEN Service Delivery(TM)
> > > > > methodology facilitates a true partnership with customers by
> > > > providing
> > > > > a real time view of the organization's security status via the
> > > > > Sherlock Enterprise Security Portal. For more information visit
> > > > > http://www.lurhq.com/
> > > > >
> > > > > Copyright (c) 2003 LURHQ Corporation. Permission is hereby
> > granted
> > > > for
> > > > > the redistribution of this document electronically. It is not to
> > be
> > > > > altered or edited in any way without the express written consent
> > of
> > > > > LURHQ Corporation. If you wish to reprint the whole or any part
> > of
> > > > > this document in any other medium excluding electronic media,
> > please
> > > > > e-mail advisories at lurhq.com for permission.
> > > > >
> > > > > Disclaimer
> > > > > The information within this paper may change without notice. Use
> > of
> > > > > this information constitutes acceptance for use in an AS IS
> > > > condition.
> > > > > There are NO warranties implied or otherwise with regard to this
> > > > > information. In no event shall the author be liable for any
> > damages
> > > > > whatsoever arising out of or in connection with the use or
> > spread of
> > > > > this information.
> > > > >
> 
> ___________________________________________________________________
> Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list