Spam Takes New Form

Discussion in 'privacy problems' started by Mr.Blaze, Mar 5, 2002.

Thread Status:
Not open for further replies.
  1. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Spam Takes New Form
                   

    We'll tell you how you can be affected by messenger spam on Monday 3/4 at 7 p.m. Eastern on 'The Screen Savers.'
    Also airs 3/4 at 10 p.m., 3/5 at 1 a.m, 11:30 a.m. Eastern.
           

    By Kevin Rose
    March 4, 2002

           [] Printer-friendly format
    [] Email this story

           
           
           
    When you think of spam, you normally think about those annoying unsolicited email messages you receive in your inbox. But there's a new form of spam that's coming your way and you don't need to have an email account, chat client, or Web browser to receive it. All you need in order to be spammed is Windows XP, 2000, or NT and an Internet connection. This new form of spam is called messenger spam. Messenger (not to be confused with MSN messenger) is a service that is loaded by default upon the startup of Windows XP/2000/NT. Microsoft has used the messenger service for a number of years to send messages between its servers and clients. Here is Microsoft's official description of the messenger service:
    Messenger Service:
    Transmits "net send" and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
    What is this messenger service and why is it spam? The easiest way to explain it is to show you the ethical and non-ethical ways of using the messenger service. The ethical use turns the messenger service into a handy tool for system administrators. They can monitor servers and send out status pop-ups if a problem occurs. See an example by clicking here. The non-ethical use of the messenger service turns it into an untraceable spam tool. As you can see in this example, the sender has changed the computer name to "VirusScan." This fools the end user into believing it is a message from his or her antivirus program. The message also refers the user to a website, and as you can probably guess, it's not an antivirus website. The problem here is that anyone can send messages though the messenger service, not just system administrators. The command to send a message is called "net send" and can be executed from the command prompt with the following syntax. Spammers will automate this process using batch files so that they can send hundreds of messages per hour (see an example). You're probably saying to yourself, "No one knows my IP address. I'm safe." Not true. You and your hidden messenger service can easily be detected by running a simple port scan across a range of IP addresses. The messenger service is part of the Netbios service that runs on TCP port 139. To detect potential targets, the spammer will scan IP addresses with port 139 open. To demonstrate this, I downloaded an application named SuperScan and scanned 131 IP addresses for the open port 139. Click here to see a screen shot of my results. Out of 131 computers, 42 of them were open for attack. Using this method thousands of open IP addresses can be harvested and spammed per hour. Stop the spam Fortunately there is an easy way to protect yourself; you must turn off the messenger service from within XP/2K/NT. Remember, if you are behind a firewall/corporate network you are most likely safe (as long as port 139 is blocked). Always check with your system administrator before making any changes to your services. To turn off the messenger service in XP:
    Click on the Start button and open the control panel.
    Open the Performance and Maintenance control panel and go to Administrative Tools.
    Now double-click on Services, then scroll to Messenger.
    Double-click Messenger and click Stop to stop the service.
    Change the startup type to Disable (see an        
    example
     
  2. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
Loading...
Thread Status:
Not open for further replies.