Fighting Back Against Messenger Popup SPAM

An anonymous reader asks: "I recently re-installed XP (out of boredom and not necessity) and forgot to turn off the Windows Messaging service. Things were going fine, until today. I started getting those annoying popups again. I realize that I can turn off this service and I'll no longer get the messages, but, I want a way to 'take back the internet' and not have to worry about others getting these messages either. Normally, these messages are the typical University Degree spam, but the last one I got was for a piece of software that turns off the messaging service. And as everyone knows, there are some people on the net who'll pay for this. So, how can the people of the net fight back to ensure that these messages stop, and more importantly, these people stop preying on the less-technically inclined?"

short answer

[Twirlip+of+the+Mists]

So, how can the people of the net fight back to ensure that these messages stop, and more importantly, these people stop preying on the less-technically inclined?

You can't. What they're doing isn't illegal, and arguably it shouldn't be. And even if it were, they'd just move their operations off-shore.

This isn't really a free speech issue-- commercial speech isn't covered by the same rules that govern other forms of expression-- but what you're basically saying is, "Some people are saying something that I don't like. I know that I can just stop listening to them, but I want to do more. How can I fight back to ensure that they have to stop saying what they're saying?

Sorry. Can't, or at least shouldn't, be done.

Now, if you wanted to take a different tactic, you could approach Microsoft through the appropriate channels to request that the Messenger service be off by default, or to have them remove it altogether. That might or might not work, but you could try.

Stopping the pop-up spam

[Zocalo]

There is a very simple way of stopping this kind of irritant from bothering the clueless who can't configure their perimeter security properly. It's called having their upstream ISPs drop traffic to and from the NetBIOS' ports on their routers by default. Is this a good idea, though? Maybe, maybe not. I'll certainly kill the pop-up spam intendeded for the ISP's customers dead in it's tracks, but it establishes a couple of precidents that can only cause problems further down the road, such as ISPs taking over responsibilty for customer security from the customer. In the case of ISPs like AoL that already have "we control your online experience" writ large in their advertising spiel, then this might be worthy of consideration. For traditional ISPs that essentially just provide connectivity this would almost certainly be the start of slippery downhill slope though. Who gets to decide what should be on the Internet and what should not? Telnet? Vulnerable to password sniffing and you should be using SSH! FTP? Same as Telnet! SMTP? Drowing in spam! HTTP? Swamped with porn!...

What is needed (as ever) is customer education, and if the customer doesn't see the problem then that's not going to happen, is it? The ISP where I work sells the option of having a basic stateful firewall on the CPE router that stomps on this kind of thing as a managed / one-off service. It's not intended as a dedicated firewall replacement, it's intended as a first pass at cleaning up incoming and outgoing traffic for SMEs. Essentially, we determine with the customer what traffic they may need to pass and simply drop the rest, hopefully giving some customers a better idea of security in the process. It's good for us, because it's dropping the number of customer network compromises we have to deal with and it's turning into quite a respectable revenue stream. It's good for the customer, because it's protecting them from some hostile traffic on the Internet and they feel safer for it. The most important thing is to make sure that the customer doesn't get the "I've got a firewall, so I'm safe" mentality (back to user education again).

We all know that the Internet has become a very hostile place to be since its rise to being a mass market commodity product, but ultimately ISPs are not, and should not, be held responsible for that (unless it's their servers that are stuffed). To use a tried and trusted analogy premise, that's like blaming car dealers for the increase in risk caused by the growing number of cars on the roads. A car dealer should show you the location of the controls in your new car, maybe even make sure you have a license and valid insurance, but not give you a driving test. Once you own your new car, it's up to you to make sure you drive and park safely, keep it locked, don't leave valuables on the back seat and keep it serviced. If you can't or don't do any of those things, and don't take advantage of the people who will help or do those things for you then, ultimately, who is to blame when things inevitably go horribly wrong?