Slashdot Mirror

← Back to Stories (view on slashdot.org)

Preventing the NT Messenger From Use as a Spam Portal?

Posted by Cliff on from the increasing-the-signal-to-noise-ratio dept.

zbowling (Zac Bowling) asks: "I currently use Comcast cable internet, and I consistently get hit with spam popups. These are not the ones you get from a webpages or media, these are dialog box popups from people scanning all possible IPs for the open messenger port on most NT or Win2k machines. The NT Messenger service (also the same as Novells Network Alert system) is reserved for admins, so they can send messages to the domain or a single workstation for any reason. This service has been taken advantage of by spammers looking for a cheap way to spam someone. One message I got was a spam to get me to buy a firewall product from them to prevent this from happening. I'm sure you can shut of that service or block that port except from people in your subnet. Does anyone know of any resources on the topic?"

22 of 66 comments (clear)

  1. Write your congressman. by Lord+Bitman · · Score: 4, Interesting

    It is an insult that typing in a URL can be considered "hacking", while sending bogus data to an unknowingly open machine in order to get it to do things which it was never intended to do is not.

    --
    -- 'The' Lord and Master Bitman On High, Master Of All
    1. Re:Write your congressman. by PerryMason · · Score: 4, Insightful

      The knee-jerk reaction is to consider this Messenger service spamming as a hack, but you have to stop and consider the wider implications of calling it 'hacking'.

      If we are to make this sort of thing illegal, its a very small step to consider any connection to an open port that isn't what the recipient (ie server operator) expected to receive as hacking. This is likely to lead to even less of a focus on delivering a secure software product, rather relying on the threat of legal action to secure systems, much like the DMCA. Its using the sledgehammer of the law to crack a small nut that technology is already more than capable to dealing with.

      If you really feel the need to write to somebody, write to Microsoft and tell them that the default state of a system following an install is insecure and that you will stop purchasing their products if they can't provide something secure enough to put on the internet.

      --
      "I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
  2. Spammed by anti-spam product adverts. Defeat? by tgrotvedt · · Score: 4, Funny

    Maybe you could, uh, buy that firewall product the spammer advertised....

    that's kind of... weird though.

    --
    What makes a man want to be a mouse? (Python's Flying Circus)
    1. Re:Spammed by anti-spam product adverts. Defeat? by GimmeFuel · · Score: 2, Informative

      Buying the advertised product would stop it just for you, but would encourage the spammer further, making it worse for everyone else. Instead, get a free firewall like ZoneAlarm and stop it that way.

      --
      live(free) || die;
  3. turn the service off by FrenZon · · Score: 2, Informative

    If you don't need it, go to your services menu, and set the messenger service to 'off'.

  4. Resource by skinfitz · · Score: 4, Informative

    Does anyone know of any resources on the topic?

    Yes, it's called Google.

  5. Check out by arcadum · · Score: 3, Informative

    This teaches you alot

  6. Shut off the service by Baloo+Ursidae · · Score: 5, Informative

    Go into Control Panel, then Services.
    Scroll down to Messenger and right click, hit Properties.
    Set Startup Type to Disabled.
    If the Service status says Started, click Stop.
    Click OK and close out of Services and Control Panel.

    --
    Help us build a better map!
    1. Re:Shut off the service by genka · · Score: 2, Informative

      He didn't ask how to stop the service. He wants to know if he can make it accessible only from a local subnet. I think he even knows that there are things like routers and they can use ACLs, but he wants to do limit Messenger access by tweaking configuration of his computers. I doubt it is possible.

  7. Stopping NT Messenger Spam by Wrexen · · Score: 4, Funny

    Step 1) Go to google
    Step 2) Type in "NT messenger spam"
    Step 3) Hit the "I'm feeling lucky" button
    Step 4) Stop NT Messenger Spam
    Step 5) Submit question to "Ask Slashdot" anyway
    Step 6) ????
    Step 7) Profit!

  8. Simple by Anonymous Coward · · Score: 4, Funny

    Create a whitelist of IPs and generate a set of rules for INPUT tabl... oh... sorry, never mind...

  9. How the ..... by Korgan · · Score: 3, Informative

    I can't believe this post got this far. A solution can even be found on Yahoo!

    Dude, core rule of running ANY OS is to disable anything you don't use. If you don't know which services/daemons you do or don't need, then install a software based firewall on the OS until you can get help to start securing the OS properly.

    For windows, software like Zone Alarm (http://www.zonelabs.com) is a good start. McAfee, Symantec and a whole heap of other companies offer similar products also.

    For *BSD (Including OSX) IPF is available on nearly all variants. For GNU/Linux, NetFilter/IPTables in the modern kernels and IPCHAINS and IPFWADM in the older kernels.

    For commercial versions of Unix, There are a quite a few options, but most home users aren't going to be running Solaris or HP-UX or AIX or other such OSs.

  10. router? by lburdet · · Score: 2, Informative

    if you still need to keep the service "Active", i'm assuming you have more than one machine behind the cable connection?
    If you have more than one machine, surely you have some form of routing?
    And if you have a router, then why don't you just block the port on the router, leave it open on the internal nodes, and lest i forget, not submit a googleable question to /. ?

  11. Shorter Procedure by Anonymous Coward · · Score: 3, Funny

    Go to the Start menu
    Select Shut Down
    Put Computer in Box
    Take it back to the store and tell them you want your money back, because you're too stupid to use a computer

  12. "block incoming NetBIOS" by Futurepower(R) · · Score: 2, Informative


    Installing ZoneAlarm is not enough. You must go to Security/Local/Customize in ZoneAlarm and select "block incoming NetBIOS".

  13. Slashdot is for posting, not roasting. by Futurepower(R) · · Score: 4, Insightful


    Slashdot Readers: If you don't like an Ask Slashdot question, ignore it!

    Don't waste everyone's time posting a comment saying that you knew the answer when you were 8 or 18 years old, and Slashdot is lame for posting such a simple question.

    Slashdot is meant to be a community. Not everyone in a community has the same knowledge. Questions that are simple for you may be difficult for someone else.

    Yes, many questions can be answered by Google, IF you already know the answer and therefore know the correct key words.

  14. Just disable the service by Noah+Adler · · Score: 3, Informative

    How about just typing net stop messenger at a command prompt?

    Problem solved, eh? Should this really have been an Ask Slashdot?

    1. Re:Just disable the service by Stalemate · · Score: 3, Funny

      I know what you mean. Even if he didn't know that exact command, he could have written a program to just pipe random character strings through cmd.exe and hope he turned off the service before he formatted his c: drive.

      You just can't help someone if they aren't willing to help themselves.

  15. New Windows by mrscott · · Score: 2, Informative

    At the risk of being flamed for a pro-Microsoft comment, take a look at Windows Server 2003. Out of the box, it is pretty tightly locked down. No services are installed by default -- an admin has to proactively enable things like IIS, DNS, etc. Permissions are no longer defaulted to "Everyone Full Control" as they were in the past. While I'm sure that there will still be holes found, at least the ones provided by a default installation have been addressed.

  16. Actually it is called Linksys by Glonoinha · · Score: 3, Informative

    Original poster : go to BestBuy or whereever and buy a Linksys 4 port router/firewall : Linksys Model# BEFSR41. They are dirt cheap now that the wireless stuff is out, cost maybe $50. Gives you two things :

    1. Your ip address is now a black hole. Nothing comes in. Cable modem is a shared medium meaning it is entirely possible that your neighbors could be snooping your hard drive. Not likely, but possible (I have done it in the past ... it is fun:) The router stops all inbound traffic at the door, or pretty much most of it. Those pesky Messenger spam go away. Also protects you from the damn Nimda (?) type worms that attack exposed web servers.

    2. You can plug more than one computer into the 4 10/100 ports the unit has, now you have more than one computer surfing at cable speed. Also have your internal network between computers. If you had friends and they came over they could plug their machines in and have instant access to the web also. Acts as a DHCP server so you don't need to configure one.

    If you have a cablemodem, you really, really need a hardware firewall/router, and the Linky is a very easy to use unit. Just be sure to change the password, everybody on the planet knows how to hack their way in if it is left to the default.

    --
    Glonoinha the MebiByte Slayer
  17. NOT NetBIOS, but RPC by mhesseltine · · Score: 2, Informative

    The Messenger service sends and recieves messages not using the NetBIOS protocol, but RPC. Therefore, you need to block port 135 to stop the messenger.

    As many others have said, you could also just turn the service off. I haven't seen anyone mention Black Viper as a resource for explaining what could be shut off and how to do it.

    --
    Overrated / Underrated : Moderation :: Anonymous Coward : Posting
  18. Windows NET SEND saga by rakerman · · Score: 2, Informative

    NET SEND on Windows

    This was also asked before and before that and before before that. And if you search Slashdot on "messenger", many other times besides those three.