Preventing the NT Messenger From Use as a Spam Portal?

zbowling (Zac Bowling) asks: "I currently use Comcast cable internet, and I consistently get hit with spam popups. These are not the ones you get from a webpages or media, these are dialog box popups from people scanning all possible IPs for the open messenger port on most NT or Win2k machines. The NT Messenger service (also the same as Novells Network Alert system) is reserved for admins, so they can send messages to the domain or a single workstation for any reason. This service has been taken advantage of by spammers looking for a cheap way to spam someone. One message I got was a spam to get me to buy a firewall product from them to prevent this from happening. I'm sure you can shut of that service or block that port except from people in your subnet. Does anyone know of any resources on the topic?"

Re:Spammed by anti-spam product adverts. Defeat?

[GimmeFuel]

Buying the advertised product would stop it just for you, but would encourage the spammer further, making it worse for everyone else. Instead, get a free firewall like ZoneAlarm and stop it that way.

turn the service off

[FrenZon]

If you don't need it, go to your services menu, and set the messenger service to 'off'.

Resource

[skinfitz]

Does anyone know of any resources on the topic?

Yes, it's called Google.

Check out

[arcadum]

This teaches you alot

Shut off the service

[Baloo+Ursidae]

Go into Control Panel, then Services.
Scroll down to Messenger and right click, hit Properties.
Set Startup Type to Disabled.
If the Service status says Started, click Stop.
Click OK and close out of Services and Control Panel.

Re:Shut off the service

[genka]

He didn't ask how to stop the service. He wants to know if he can make it accessible only from a local subnet. I think he even knows that there are things like routers and they can use ACLs, but he wants to do limit Messenger access by tweaking configuration of his computers. I doubt it is possible.

How the .....

[Korgan]

I can't believe this post got this far. A solution can even be found on Yahoo!

Dude, core rule of running ANY OS is to disable anything you don't use. If you don't know which services/daemons you do or don't need, then install a software based firewall on the OS until you can get help to start securing the OS properly.

For windows, software like Zone Alarm (http://www.zonelabs.com) is a good start. McAfee, Symantec and a whole heap of other companies offer similar products also.

For *BSD (Including OSX) IPF is available on nearly all variants. For GNU/Linux, NetFilter/IPTables in the modern kernels and IPCHAINS and IPFWADM in the older kernels.

For commercial versions of Unix, There are a quite a few options, but most home users aren't going to be running Solaris or HP-UX or AIX or other such OSs.

router?

[lburdet]

if you still need to keep the service "Active", i'm assuming you have more than one machine behind the cable connection?
If you have more than one machine, surely you have some form of routing?
And if you have a router, then why don't you just block the port on the router, leave it open on the internal nodes, and lest i forget, not submit a googleable question to /. ?

"block incoming NetBIOS"

[Futurepower(R)]

Installing ZoneAlarm is not enough. You must go to Security/Local/Customize in ZoneAlarm and select "block incoming NetBIOS".

Just disable the service

[Noah+Adler]

How about just typing net stop messenger at a command prompt?

Problem solved, eh? Should this really have been an Ask Slashdot?

New Windows

[mrscott]

At the risk of being flamed for a pro-Microsoft comment, take a look at Windows Server 2003. Out of the box, it is pretty tightly locked down. No services are installed by default -- an admin has to proactively enable things like IIS, DNS, etc. Permissions are no longer defaulted to "Everyone Full Control" as they were in the past. While I'm sure that there will still be holes found, at least the ones provided by a default installation have been addressed.

Actually it is called Linksys

[Glonoinha]

Original poster : go to BestBuy or whereever and buy a Linksys 4 port router/firewall : Linksys Model# BEFSR41. They are dirt cheap now that the wireless stuff is out, cost maybe $50. Gives you two things :

1. Your ip address is now a black hole. Nothing comes in. Cable modem is a shared medium meaning it is entirely possible that your neighbors could be snooping your hard drive. Not likely, but possible (I have done it in the past ... it is fun:) The router stops all inbound traffic at the door, or pretty much most of it. Those pesky Messenger spam go away. Also protects you from the damn Nimda (?) type worms that attack exposed web servers.

2. You can plug more than one computer into the 4 10/100 ports the unit has, now you have more than one computer surfing at cable speed. Also have your internal network between computers. If you had friends and they came over they could plug their machines in and have instant access to the web also. Acts as a DHCP server so you don't need to configure one.

If you have a cablemodem, you really, really need a hardware firewall/router, and the Linky is a very easy to use unit. Just be sure to change the password, everybody on the planet knows how to hack their way in if it is left to the default.

NOT NetBIOS, but RPC

[mhesseltine]

The Messenger service sends and recieves messages not using the NetBIOS protocol, but RPC. Therefore, you need to block port 135 to stop the messenger.

As many others have said, you could also just turn the service off. I haven't seen anyone mention Black Viper as a resource for explaining what could be shut off and how to do it.

Windows NET SEND saga

[rakerman]

NET SEND on Windows

This was also asked before and before that and before before that. And if you search Slashdot on "messenger", many other times besides those three.