Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blocking MSN Messenger?

Posted by Cliff on from the making-IMs-not-so-instant dept.

Tekno2k3 asks: "As a sysadmin for a financial company, I have been tasked with removing Instant Messaging from our network. The only service that is being difficult is MSN Messenger. It uses many methods to get around being blocked. These include using port 80, using it's own DNS servers for lookup, using MANY logon servers, and using reverse DNS lookup. Has anyone had any success in blocking Messenger?"

10 of 236 comments (clear)

  1. packet shaping by Satai · · Score: 3, Interesting

    Use a packet shaper. The one that comes to mind (proprietary, however) is Packeteer. These filter based on protocol (I think), so usually they can keep out resourceful programs like gnutella, etc.

  2. Re:Try this. by rplacd · · Score: 3, Interesting

    Oh, also. I've caught people using http redirectors. You run an app on your desktop that acts like a socks or http proxy. It encodes tcp traffic in http headers, sends it out to a site that demangles the packets and forwards them on.

    There are a few commercial companies providing this support, and pretty much everyone can set up their own tunnel. While it's not that hard to track down the commercial stuff, I'm not sure how you'd defeat the guy running a proxy redirector on his DSL'd box at home. The latter hasn't been a problem for my workplace...yet.

  3. Brute force by {8_8} · · Score: 3, Interesting

    This is a very inelegant approach, but I suppose you could block EVERY logon server at the router. There has to be a finite number of logon servers out there, so all you'd have to do is sit down for X amount of time with a MSN client and monitor outgoing traffic from your IP. Block each logon server as it comes up, wait for the client to reconnect, block that server, rinse, repeat.

    Also, you could try looking for the location that the MSN client fetches the server list from and block that IP. If the list is stored locally, it'd be even easier to find and block those servers.

    Of course, the above approach assumes that the router can handle blocking X amount of IPs. I wouldn't put it past MS to have hundreds or thousands of servers out there.

  4. Tell people not to use it... by anthony_dipierro · · Score: 5, Interesting

    Then log all access to port 1863.

  5. Re:Simple by anthony_dipierro · · Score: 4, Interesting

    It won't work in all circumstances. When my DNS goes down, MSN Messenger still works. That's because it saves the last IP address in the registry. Just use regedit and you can confirm this for yourself. Trust me, I've written an MSN Messenger server, I know this shit.

  6. Group Policies by fluor2 · · Score: 3, Interesting

    Hey,

    you can block stuff like this using Group Policies (GPO's). I think you should start asking at news.microsoft.com at their group policy newsgroups.

    If you have windows XP's as a member of your domain, you can easily block it using GPO.

  7. Re:Why block MSN? by dotpl · · Score: 3, Interesting

    I totally agree with your point, but I have a similar situation, we have a lot of computers that share the internet connection, and there ain't that much bandwidth (around 40Kbits/sec if you're lucky)

    so somtimes I want to block MSN because the connection gets too slow for legitimate use, and I know most of the people in the office are just chatting with friends and getting no real work done, and, eventually, preventing me from doing my work, which requires being 90% of the time online.

  8. Re:Try this. by Elwood+P+Dowd · · Score: 3, Interesting

    I've worked in QA where employees have had to open dialup ISP accounts on personal credit cards so that they could actually test the products they were given.

    The product would try to go contact our company's webserver for some kind of content, but it wasn't proxy-aware. And they still wouldn't put us out on the internet.

    We never had to escalate it, 'cause of some employees taking it into their own hands, but that was incredible. Blew my damn mind.

    --

    There are no trails. There are no trees out here.
  9. Re:Don't block it, sniff it. by ColaMan · · Score: 3, Interesting

    I joke about all this stuff , but seriously, I had a person email me a resume for a job we had open from "fatshaft42" at a well known free email provider.

    Of course , all the girls in the office wanted to hire him but it did nothing for his professional appeal. Well, if we were an escort agency maybe it would have.....

    --

    You are in a twisty maze of processor lines, all alike.
    There is a lot of hype here.
  10. Very easy by duffbeer703 · · Score: 4, Interesting

    Disable via the registry with login scripts

    http://www.winguides.com/registry/display.php/98 1/

    Or group policy

    http://www.subvers.com/technobabble/html/tweaks/ Gr oup%20Policy%20Registry%20Editor.htm

    If you have wildcat machines that people just setup on their own, you have a larger problem.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK