[Dshield] Re: [Full-Disclosure] Port Blocking

Kenneth Coney superc at visuallink.com
Fri Jun 27 16:36:47 GMT 2003


I hope my ISP isn't blocking any of my ports.  I have a broad spectrum of
commo programs on my machine that use a variety of ports.  I already
dropped one ISP that took it upon themselves to Spam filter and auto delete
my emails if the incoming email met THEIR definition of spam.  Needless to
say several important work project related emails went unreceived because
coworkers and clients used Hotmail or Yahoo, etc.  The long and short is
the ISP deleted my email, so I deleted their account.  To solve the
unwanted communication problem a smarter approach for the ISPs would be to
simply require customers to use updated firewalls and anti virus software. 
If the customer doesn't and a problem results then they, and not the ISP
broke the covenant.


list-request at dshield.org wrote:
> 
> Send list mailing list submissions to
>         list at dshield.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://www.dshield.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
>         list-request at dshield.org
> 
> You can reach the person managing the list at
>         list-owner at dshield.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of list digest..."
> 
>   ---------------------------------------------------------------------------
> Today's Topics:
> 
>    1. Zynos (David Hart)
>    2. Re: Windows Messenger Popup Spam - advisory amended (Joe Stewart)
>    3. Re:  Re: [Full-Disclosure] Windows Messenger Popup Spamon UDP
>       Port 1026 (morning_wood)
>    4. new virus/attachment (Neil G. Lovering)
>    5. Re:  Re: [Full-Disclosure] Port Blocking (Doug White)
>    6. Re: Windows Messenger Popup Spam - advisory amended (jh)
>    7. Re:  Re: [Full-Disclosure] Windows Messenger Popup        SpamonUDP
>       Port 1026 (Rick Leske)
>    8. Re[2]: [Dshield]  Re: [Full-Disclosure] Windows Messenger
>       Popup     SpamonUDP Port 1026 (Stephane Grobety)
>    9. Re: new virus/attachment (Johannes Ullrich)
>   10. RE: new virus/attachment (Rick Leske)
>   11. Win2000 SP4 Released From Beta (R Shady)
>   12. RE: new virus/attachment (jdoub at krispykreme.com)
>   13. Re: Strange activity.. (Ed Truitt)
>   14. RE: new virus/attachment (Chris DeVoney)
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] Zynos
> Date: 25 Jun 2003 12:34:55 -0400
> From: David Hart <DavidHart at TQMcube.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: General DShield Discussion List <list at dshield.org>
> 
> I'm sure that I mis-phrased my question the last time. Zynos works
> great. I certainly don't want to alter the content submitted to DShield.
> 
> The script sends me a copy of each submission. What I would like to do
> is get host name resolution on MY copy and only my copy. This
> facilitates sending out my own polite notes when warranted without
> having to do a whois.
> 
> I did this with VBS when our primary machine was running on Windows but
> I lack the skills to do this in Perl. It looks like the sub-routine is
> defined but I don't want to play with DShield submissions.
> 
> If someone is already doing this, I'd sure appreciate the help but
> please don't go to any trouble trying to figure out the code if you
> haven't already done so.
> 
> --
> 
>       *      Total Quality Management - A Commitment to Excellence
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] Re: Windows Messenger Popup Spam - advisory amended
> Date: Wed, 25 Jun 2003 13:39:46 -0400
> From: Joe Stewart <jstewart at lurhq.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: jh <jh at dok.org>
> CC: list at dshield.org,
>      intrusions at incidents.org,
>      full-disclosure at lists.netsys.com
> References: <20030623211959.GD4089 at dok.org>
> 
> On Monday 23 June 2003 05:19 pm, jh wrote:
> > 1026 is ephemeral, it may not always be this port.
> 
> I'd say it's dependent on the the startup order of other listeners. Ephemeral
> implies it is short-lived. If you don't install other services that use port
> 1026 it will probably continue to be bound to port 1026 indefinately. I've
> been told that some Windows 2000 server platforms may have messenger
> listening on port 1027 due to other services starting first, but popup
> spammers are typically targeting the home user running WinXP.
> 
> > Duno if that all makes sense, readers may find the following paper
> > helpful (it is more indepth than the brief, condensed version above):
> > http://www.giac.org/practical/GCIH/Jeremy_Hewlett_GCIH.pdf
> 
> This is an excellent paper; is it yours? Well researched and written.
> I have found however, a few points of difference between what the paper
> describes of the protocol and what I've observed in practice. The paper
> describes a much more elaborate exchange of packets than the spammers
> are actually using. The paper says that the conv_who_are_you packet
> must be answered by the client before the popup will occur. This doesn't
> seem to be necessary, as I have been able to merely replay the same
> UDP packet payload again and again, on either port. The paper says that
> these packets should be dropped as duplicates, but I have observed that
> you only need to wait for a given timeout to occur before you can send the
> packet  and get a popup again;  somewhere on the order of 10 minutes or
> so. This is ok with the spammers, since they seem to cycle through the same
> netblock only every hour or so.
> 
> So, the higher port is usually, but not guaranteed to be, port 1026. So
> far, the spammers have only been observed sending packets to port 135
> and 1026, suggesting they have observed the same behavior. And only
> one packet is necessary, no matter which port you send it to. I've been
> successful at spoofing a bogus source IP address in the packets generating
> the popups as well.
> 
> -Joe
> 
> --
> Joe Stewart, GCIH
> Senior Intrusion Analyst
> LURHQ Corporation
> http://www.lurhq.com/
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spamon
>      UDP Port 1026
> Date: Sat, 21 Jun 2003 14:02:48 -0700
> From: "morning_wood" <se_cur_ity at hotmail.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: jullrich at euclidian.com,
>      "General DShield Discussion List" <list at dshield.org>
> CC: full-disclosure at lists.netsys.com
> References: <200306202237.46271.jstewart at lurhq.com>
>      <1056215664.10057.314.camel at bart>
> 
> the point being there should be no isp blocking of any ports period.
> Why? For what purpose? I would seek another provider if my ISP
> purposefly blocked ports. Unless a critical mass DDoS was in full
> disruption and temporary measuses taken to prevent further
> amplifiction, were used and full service restored after the threat was
> diminished.
> 
> wood
> 
> ----- Original Message -----
> From: "Johannes Ullrich" <jullrich at euclidian.com>
> To: "General DShield Discussion List" <list at dshield.org>
> Cc: "Joe Stewart" <jstewart at lurhq.com>;
> <full-disclosure at lists.netsys.com>
> Sent: Saturday, June 21, 2003 10:14 AM
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> Spamon UDP Port 1026
> 
> > Well, blocking port 1026 is probably not such a great idea. But
> > why would a non-windows user suffer if port 135-139 & 445 is
> blocked?
> >
> >
> >
> > On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> > > so all users should suffer an ISP blocking ports just because some
> > > people run windows???? excuse me? Better would be to just disable
> > > windows mesaging service. or issue a patch for it, as opposed to
> > > blocking port traffic.
> > >
> > > wood
> > >
> > > ----- Original Message -----
> > > From: "Joe Stewart" <jstewart at lurhq.com>
> > > To: <list at dshield.org>
> > > Cc: <full-disclosure at lists.netsys.com>;
> <intrusions at incidents.org>;
> > > <isc at sans.org>
> > > Sent: Friday, June 20, 2003 7:37 PM
> > > Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP
> Port
> > > 1026
> > >
> > >
> > > > Windows Messenger Popup Spam on UDP Port 1026
> > > >
> > > > URL: http://www.lurhq.com/popup_spam.html
> > > > Release Date: June 20, 2003
> > > > Author: Joe Stewart
> > > >
> > > > LURHQ Corporation has observed traffic to large blocks of IP
> > > addresses
> > > > on UDP port 1026. This traffic started around June 18, 2003 and
> has
> > > > been constant since that time. LURHQ analysts have determined
> that
> > > the
> > > > source of the traffic is spammers who have discovered that the
> > > Windows
> > > > Messenger service listens for connections on port 1026 as well
> as
> > > the
> > > > more widely-known port 135. Windows Messenger has been a target
> for
> > > > spammers since late last year, because it allows anonymous
> pop-up
> > > > messages to be displayed on any Windows system running the
> messenger
> > > > service. Due to widespread abuse, many ISPs have moved to block
> > > > inbound traffic on UDP port 135. It appears the spammers have
> > > adapted,
> > > > so ISPs are urged to block UDP port 1026 inbound as well.
> > > >
> > > > It is possible to disable the messenger service on some
> platforms
> > > > following the instructions below. However, the fact that you can
> > > > receive these messages points to the fact that your computer is
> > > > unsecured and vulnerable to other possible attacks in the
> future.
> > > > Disabling the messenger service will stop the pop-up spam, but
> will
> > > > not protect you in any other way. Home users are encouraged to
> > > install
> > > > personal firewall software to block unauthorized connections to
> > > their
> > > > computers. Users are discourged from purchasing specialized
> Windows
> > > > Messenger popup blocking software as it is often sold by the
> same
> > > > company that is sending the popups.
> > > >
> > > > To disable the Messenger Service, follow the instructions for
> your
> > > > Windows version:
> > > >
> > > > Windows XP Home
> > > >   * Click Start, then click Control Panel.
> > > >   * Double-click Performance and Maintenance.
> > > >   * Double-click Administrative Tools.
> > > >   * Double-click Services.
> > > >   * Scroll down, highlight and right-click on Messenger and
> choose
> > > >     Properties
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows XP Professional
> > > >   * Click Start, then click Control Panel.
> > > >   * Double-click Administrative Tools
> > > >   * Double-click Services
> > > >   * Scroll down, highlight and right-click on Messenger and
> choose
> > > >     Properties
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows 2000/NT
> > > >   * Click Start, go to Settings, then click Control Panel.
> > > >   * Double-click Administrative Tools.
> > > >   * Double-click Service.
> > > >   * Double-click Messenger.
> > > >   * In the "Startup type" list, choose Disabled.
> > > >   * Click Stop, and then click OK.
> > > >
> > > > Windows 98/ME
> > > > The Windows Messenger Service cannot be disabled
> > > >
> > > > --
> > > >
> > > > About LURHQ Corporation
> > > > LURHQ Corporation is the trusted provider of Managed Security
> > > > Services. Founded in 1996, LURHQ has built a strong business
> > > > protecting the critical information assets of more than 400
> > > customers
> > > > by offering managed intrusion prevention and protection
> services.
> > > > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > > > enhance their security posture while reducing the costs of
> managing
> > > > their security environments. LURHQ's OPEN Service Delivery(TM)
> > > > methodology facilitates a true partnership with customers by
> > > providing
> > > > a real time view of the organization's security status via the
> > > > Sherlock Enterprise Security Portal. For more information visit
> > > > http://www.lurhq.com/
> > > >
> > > > Copyright (c) 2003 LURHQ Corporation. Permission is hereby
> granted
> > > for
> > > > the redistribution of this document electronically. It is not to
> be
> > > > altered or edited in any way without the express written consent
> of
> > > > LURHQ Corporation. If you wish to reprint the whole or any part
> of
> > > > this document in any other medium excluding electronic media,
> please
> > > > e-mail advisories at lurhq.com for permission.
> > > >
> > > > Disclaimer
> > > > The information within this paper may change without notice. Use
> of
> > > > this information constitutes acceptance for use in an AS IS
> > > condition.
> > > > There are NO warranties implied or otherwise with regard to this
> > > > information. In no event shall the author be liable for any
> damages
> > > > whatsoever arising out of or in connection with the use or
> spread of
> > > > this information.
> > > >
> > > > Feedback
> > > > Updates and/or comments to:
> > > > LURHQ Corporation
> > > > http://www.lurhq.com/
> > > > advisories at lurhq.com
> > > >
> > > > _______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > > >
> > >
> > > _______________________________________________
> > > list mailing list
> > > list at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] new virus/attachment
> Date: Wed, 25 Jun 2003 22:55:00 -0400
> From: "Neil G. Lovering" <nlovering at nle-inc.com>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: <list at dshield.org>
> 
> Hey all,
> 
> Anyone seeing some new "attachment" that comes in as a zip?  I've gotten a few from various folks just today.  I sent an email back to one of my friends, and he stated that he definitely did not send it to me.  In fact, it was from an old, unsed email address of his.  Thus, I'm thinking that someone is sending some new rogue attachment around.
> 
> Neil
> 
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] Re: [Full-Disclosure] Port Blocking
> Date: Wed, 25 Jun 2003 22:01:14 -0500
> From: "Doug White" <doug at dwhite.ws>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: "General DShield Discussion List" <list at dshield.org>
> References: <200306202237.46271.jstewart at lurhq.com><Law11-OE192o75stjqL0004ce94 at hotmail.com>
>      <Law11-OE53rNKvv9Cy50004db32 at hotmail.com>
> 
> Interesting point.  For instance Cox Internet-New England put in place just
> yesterday port 25 outbound blocking, requiring users to send outbound mail via
> their smtp server.  This new policy affected two of my hosting clients who had
> email accounts connected with their domain name and web site.  Both of them tell
> me that they are seeking a new provider.
> 
> What incensed them is that there was no notice, and the provider does not
> mention a thing in the FAQ or policy sections on their own web site.  Not to
> mention all the aggravation with my support folks in trying to track down why
> they could not reply to incoming email.
> 
> This supports the point that arbitrary port blocking is not a good thing.
> 
> ======================================
> Stop spam on your domain, use our gateway!
> For hosting solutions http://www.clickdoug.com
> ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
> ======================================
> If you are not satisfied with my service, my job isn't done!
> 
> ----- Original Message -----
> From: "morning_wood" <se_cur_ity at hotmail.com>
> To: <jullrich at euclidian.com>; "General DShield Discussion List"
> <list at dshield.org>
> Cc: <full-disclosure at lists.netsys.com>
> Sent: Saturday, June 21, 2003 4:02 PM
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup SpamonUDP
> Port 1026
> 
> | the point being there should be no isp blocking of any ports period.
> | Why? For what purpose? I would seek another provider if my ISP
> | purposefly blocked ports. Unless a critical mass DDoS was in full
> | disruption and temporary measuses taken to prevent further
> | amplifiction, were used and full service restored after the threat was
> | diminished.
> |
> | wood
> |
> | ----- Original Message -----
> | From: "Johannes Ullrich" <jullrich at euclidian.com>
> | To: "General DShield Discussion List" <list at dshield.org>
> | Cc: "Joe Stewart" <jstewart at lurhq.com>;
> | <full-disclosure at lists.netsys.com>
> | Sent: Saturday, June 21, 2003 10:14 AM
> | Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> | Spamon UDP Port 1026
> |
> |
> | > Well, blocking port 1026 is probably not such a great idea. But
> | > why would a non-windows user suffer if port 135-139 & 445 is
> | blocked?
> | >
> | >
> | >
> | > On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> | > > so all users should suffer an ISP blocking ports just because some
> | > > people run windows???? excuse me? Better would be to just disable
> | > > windows mesaging service. or issue a patch for it, as opposed to
> | > > blocking port traffic.
> | > >
> | > > wood
> | > >
> | > > ----- Original Message -----
> | > > From: "Joe Stewart" <jstewart at lurhq.com>
> | > > To: <list at dshield.org>
> | > > Cc: <full-disclosure at lists.netsys.com>;
> | <intrusions at incidents.org>;
> | > > <isc at sans.org>
> | > > Sent: Friday, June 20, 2003 7:37 PM
> | > > Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP
> | Port
> | > > 1026
> | > >
> | > >
> | > > > Windows Messenger Popup Spam on UDP Port 1026
> | > > >
> | > > > URL: http://www.lurhq.com/popup_spam.html
> | > > > Release Date: June 20, 2003
> | > > > Author: Joe Stewart
> | > > >
> | > > > LURHQ Corporation has observed traffic to large blocks of IP
> | > > addresses
> | > > > on UDP port 1026. This traffic started around June 18, 2003 and
> | has
> | > > > been constant since that time. LURHQ analysts have determined
> | that
> | > > the
> | > > > source of the traffic is spammers who have discovered that the
> | > > Windows
> | > > > Messenger service listens for connections on port 1026 as well
> | as
> | > > the
> | > > > more widely-known port 135. Windows Messenger has been a target
> | for
> | > > > spammers since late last year, because it allows anonymous
> | pop-up
> | > > > messages to be displayed on any Windows system running the
> | messenger
> | > > > service. Due to widespread abuse, many ISPs have moved to block
> | > > > inbound traffic on UDP port 135. It appears the spammers have
> | > > adapted,
> | > > > so ISPs are urged to block UDP port 1026 inbound as well.
> | > > >
> | > > > It is possible to disable the messenger service on some
> | platforms
> | > > > following the instructions below. However, the fact that you can
> | > > > receive these messages points to the fact that your computer is
> | > > > unsecured and vulnerable to other possible attacks in the
> | future.
> | > > > Disabling the messenger service will stop the pop-up spam, but
> | will
> | > > > not protect you in any other way. Home users are encouraged to
> | > > install
> | > > > personal firewall software to block unauthorized connections to
> | > > their
> | > > > computers. Users are discourged from purchasing specialized
> | Windows
> | > > > Messenger popup blocking software as it is often sold by the
> | same
> | > > > company that is sending the popups.
> | > > >
> | > > > To disable the Messenger Service, follow the instructions for
> | your
> | > > > Windows version:
> | > > >
> | > > > Windows XP Home
> | > > >   * Click Start, then click Control Panel.
> | > > >   * Double-click Performance and Maintenance.
> | > > >   * Double-click Administrative Tools.
> | > > >   * Double-click Services.
> | > > >   * Scroll down, highlight and right-click on Messenger and
> | choose
> | > > >     Properties
> | > > >   * In the "Startup type" list, choose Disabled.
> | > > >   * Click Stop, and then click OK.
> | > > >
> | > > > Windows XP Professional
> | > > >   * Click Start, then click Control Panel.
> | > > >   * Double-click Administrative Tools
> | > > >   * Double-click Services
> | > > >   * Scroll down, highlight and right-click on Messenger and
> | choose
> | > > >     Properties
> | > > >   * In the "Startup type" list, choose Disabled.
> | > > >   * Click Stop, and then click OK.
> | > > >
> | > > > Windows 2000/NT
> | > > >   * Click Start, go to Settings, then click Control Panel.
> | > > >   * Double-click Administrative Tools.
> | > > >   * Double-click Service.
> | > > >   * Double-click Messenger.
> | > > >   * In the "Startup type" list, choose Disabled.
> | > > >   * Click Stop, and then click OK.
> | > > >
> | > > > Windows 98/ME
> | > > > The Windows Messenger Service cannot be disabled
> | > > >
> | > > > --
> | > > >
> | > > > About LURHQ Corporation
> | > > > LURHQ Corporation is the trusted provider of Managed Security
> | > > > Services. Founded in 1996, LURHQ has built a strong business
> | > > > protecting the critical information assets of more than 400
> | > > customers
> | > > > by offering managed intrusion prevention and protection
> | services.
> | > > > LURHQ's 24X7 Incident Handling capabilities enable customers to
> | > > > enhance their security posture while reducing the costs of
> | managing
> | > > > their security environments. LURHQ's OPEN Service Delivery(TM)
> | > > > methodology facilitates a true partnership with customers by
> | > > providing
> | > > > a real time view of the organization's security status via the
> | > > > Sherlock Enterprise Security Portal. For more information visit
> | > > > http://www.lurhq.com/
> | > > >
> | > > > Copyright (c) 2003 LURHQ Corporation. Permission is hereby
> | granted
> | > > for
> | > > > the redistribution of this document electronically. It is not to
> | be
> | > > > altered or edited in any way without the express written consent
> | of
> | > > > LURHQ Corporation. If you wish to reprint the whole or any part
> | of
> | > > > this document in any other medium excluding electronic media,
> | please
> | > > > e-mail advisories at lurhq.com for permission.
> | > > >
> | > > > Disclaimer
> | > > > The information within this paper may change without notice. Use
> | of
> | > > > this information constitutes acceptance for use in an AS IS
> | > > condition.
> | > > > There are NO warranties implied or otherwise with regard to this
> | > > > information. In no event shall the author be liable for any
> | damages
> | > > > whatsoever arising out of or in connection with the use or
> | spread of
> | > > > this information.
> | > > >
> | > > > Feedback
> | > > > Updates and/or comments to:
> | > > > LURHQ Corporation
> | > > > http://www.lurhq.com/
> | > > > advisories at lurhq.com
> | > > >
> | > > > _______________________________________________
> | > > > Full-Disclosure - We believe in it.
> | > > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> | > > >
> | > >
> | > > _______________________________________________
> | > > list mailing list
> | > > list at dshield.org
> | > > To change your subscription options (or unsubscribe), see:
> | http://www.dshield.org/mailman/listinfo/list
> | >
> | > _______________________________________________
> | > Full-Disclosure - We believe in it.
> | > Charter: http://lists.netsys.com/full-disclosure-charter.html
> | >
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
> |
> | _______________________________________________
> | list mailing list
> | list at dshield.org
> | To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> |
> |
> 
>   ---------------------------------------------------------------------------
> 
> Subject: [Dshield] Re: Windows Messenger Popup Spam - advisory amended
> Date: Wed, 25 Jun 2003 22:31:23 -0500
> From: jh <jh at dok.org>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: Joe Stewart <jstewart at lurhq.com>
> CC: list at dshield.org,
>      intrusions at incidents.org,
>      full-disclosure at lists.netsys.com
> References: <20030623211959.GD4089 at dok.org>
>      <200306251339.46805.jstewart at lurhq.com>
> 
> On Wed, Jun 25, Joe Stewart wrote:
> > On Monday 23 June 2003 05:19 pm, jh wrote:
> > > 1026 is ephemeral, it may not always be this port.
> >
> > I'd say it's dependent on the the startup order of other listeners. Ephemeral
> > implies it is short-lived. If you don't install other services that use port
> > 1026 it will probably continue to be bound to port 1026 indefinately. I've
> > been told that some Windows 2000 server platforms may have messenger
> > listening on port 1027 due to other services starting first, but popup
> > spammers are typically targeting the home user running WinXP.
> 
> Yah, you are correct. Ephemeral probably wasn't the best choice of
> wording, but you understood what I meant anyway.
> 
> > This is an excellent paper; is it yours?
> 
> Yes it is, thanks.
> 
> > I have found however, a few points of difference between what the paper
> > describes of the protocol and what I've observed in practice. The paper
> > describes a much more elaborate exchange of packets than the spammers
> > are actually using.
> 
> This may be entirely dependent on the handful of the commercial
> "advertising tools" that I selected to look at - and clearly several
> of them appeared to be ripoffs of each other. Though to be fair, I
> have observed this exchange of packets in real life (ie; not caused by
> my own testing, just allowing spammers access to my machines).
> 
> > The paper says that the conv_who_are_you packet
> > must be answered by the client before the popup will occur.
> 
> Your observations are very interesting. I could never get a popup
> to display without this transpiring. I noticed other people have had
> the same results
> (http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm,
> as an example).
> 
> > This doesn't seem to be necessary, as I have been able to merely
> > replay the same UDP packet payload again and again, on either port.
> 
> Is that UDP packet you are replaying the first packet of the
> conversation? I'd be interested in looking at it (and what else you
> are doing). If you could send that to me off list, I'd appreciate it.
> 
>   ---------------------------------------------------------------------------
> 
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
>      SpamonUDP Port 1026
> Date: Wed, 25 Jun 2003 23:02:24 -0500
> From: "Rick Leske" <rick at jaray.net>
> Reply-To: General DShield Discussion List <list at dshield.org>
> To: "General DShield Discussion List" <list at dshield.org>
> References: <200306202237.46271.jstewart at lurhq.com><Law11-OE192o75stjqL0004ce94 at hotmail.com>
>      <Law11-OE53rNKvv9Cy50004db32 at hotmail.com>
> 
> Well here's a snip of some examples that one would clearly need to block
> ports:
> 
> !
> ! Known Virus and Trojan ports
> !
> ! MS SQL Slammer Worm
> !
> access-list 101 deny udp any any eq 1434 log
> !
> ! Legacy small services no longer used
> !
> access-list 101 deny tcp any any range 0 19 log
> access-list 101 deny udp any any range 0 19 log
> !
> ! Finger
> !
> access-list 101 deny tcp any any eq 79 log
> access-list 101 deny udp any any eq 79 log
> !
> ! SNMP Trap
> !
> access-list 101 deny tcp any any range 161 162 log
> access-list 101 deny udp any any range 161 162 log
> !
> ! SMUX
> access-list 101 deny tcp any any eq 199 log
> access-list 101 deny udp any any eq 199 log
> !
> ! SNMP Relay Port
> access-list 101 deny tcp any any eq 391 log
> access-list 101 deny udp any any eq 391 log
> !
> ! AgentX
> access-list 101 deny tcp any any eq 705 log
> access-list 101 deny udp any any eq 705 log
> !
> ! cisco SNMP TCP port
> access-list 101 deny tcp any any eq 1993 log
> access-list 101 deny udp any any eq 1993 log
> !
> ! Lan-only DHCP and TFTP
> !
> access-list 101 deny udp any any range 67 69 log
> access-list 101 deny tcp any any range 67 69 log
> !
> ! Microsoft NETBIOS (messenger spam)
> !
> access-list 101 deny tcp any any range 135 139 log
> access-list 101 deny udp any any range 135 139 log
> access-list 101 deny tcp any any eq 445 log
> access-list 101 deny udp any any eq 445 log
> !
> ! Unix RPC
> !
> access-list 101 deny tcp any any eq 111 log
> access-list 101 deny udp any any eq 111 log
> !
> ! Lan-only unix services
> !
> access-list 101 deny tcp any any range 511 515 log
> access-list 101 deny udp any any range 511 515 log
> !
> ! IRCD
> !
> access-list 101 deny tcp any any eq 6667 log
> access-list 101 deny udp any any eq 6667 log
> !
> ! ICMP Fragments
> !
> access-list 101 deny icmp any any log
> !
> ! Inbound ping
> !
> access-list 101 permit icmp any any echo
> !
> ! Inbound ping response
> !
> access-list 101 permit icmp any any echo-reply
> !
> ! Path MTU to function
> !
> access-list 101 permit icmp any any packet-too-big
> !
> ! Flow control
> !
> access-list 101 permit icmp any any source-quench
> !
> ! Time exceeded messages for traceroute and loops
> !
> access-list 101 permit icmp any any time-exceeded
> !
> ! Block all other ICMP packets
> !
> access-list 101 deny icmp any any log
> !
> ! Permit everything else
> !
> access-list 101 permit ip any any
> 
> Point being that the 'internet' is not a safe or adequately regulated
> environment.  One can not assume that "Seat Belts" save lives - facts have
> proven they do.. just as with blocking ports save corporations trillions of
> dollars.
> 
> ~Rick
> 
> ----- Original Message -----
> From: "morning_wood" <se_cur_ity at hotmail.com>
> To: <jullrich at euclidian.com>; "General DShield Discussion List"
> <list at dshield.org>
> Cc: <full-disclosure at lists.netsys.com>
> Sent: Saturday, June 21, 2003 4:02 PM
> Subject: Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup
> SpamonUDP Port 1026
> 
> > the point being there should be no isp blocking of any ports period.
> > Why? For what purpose? I would seek another provider if my ISP
> > pu




More information about the list mailing list