Windows Messenger Popups

Discussion in 'other firewalls' started by Sonic, Jan 20, 2003.

Thread Status:
Not open for further replies.
  1. Sonic

    Sonic Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    14
    I am having trouble blocking the windows messenger popups. I know that I can disable the windows messenger service, but I want to set up firewall rules instead.

    I am using Sygate Personal Firewall. I have set up two advanced rules.

    The first rule blocks all incoming UDP traffic on local ports 135,137,138,139,445.

    The second rule blocks all incoming TCP traffic on local ports 135,137,138,139,445.

    When I test it by sending myself a message using the "net send" command, the message gets through.

    When I check my traffic log the message seems to sometimes get through on a port above 1000.

    Other times, the traffic log shows traffic on ports 137 and 138 was blocked, with no indication of incoming traffic coming in, but the test message still pops up.

    Any help would be appreciated.
    Thanks.
     
  2. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,
    Windows Messenger and Messenger Service are not the same.

    I suppose if you don't want to disable Messenger service you are on a LAN and need it on you LAN ?

    Then just just Disable on the NIC for you Web connection
    NETBios with TCP/IP and let Enable on the other NIC.
    (located in Network Management\ Protocol TCP/IP\properties\ advanced\ =>WINS.
    Close and reopen your connexion.

    Rgds,
     
  3. Sonic

    Sonic Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    14
    Yes, I should have been more specific. I am referring to messenger service, not windows messenger.

    No, I am not on a LAN. Just a stand alone home computer for now, but I am planning a home network. Could I just turn off windows messenger with no adverse effects?

    I thought that since I had a firewall I should be able to block these annoying popups at the firewall level rather than turning off a service that I might need.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The use of this service is normally restricted to local networks, so most firewalls will be able to distinguish the good from the bad.

    A very good explanation on how to disable these services can be found here: http://www.auburn.edu/oit/security/messengerService.html

    Regards,

    Pieter
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I have messenger service set to manual and it is not started. I have a lan and it causes no problems.
    A suggestion when you set up your lan. You might consider disabling NetBios over TCP and install the NetBeui protocol. In my opinion, a better way of sharing files and printers.
    Also have you looked at Steve Gibsons Network bondage articles?http://grc.com/su-bondage.htm
     
  6. Sonic

    Sonic Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    14
    OK, looks like I can just disable messenger service if the popups become a problem.

    I am still wondering why I can't seem to configure firewall rules to block this traffic. o_O
     
  7. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Huh? You can. Just block TCP 135. In fact, if your firewall (like most) is set to querry or block packets not explictly allowed, you won't be borthered by messanger spam (or more accurately you will be "spamed" by a alert window untill you set a rule to explictly deny, or if you have a "block all" rule)

    I suppose it does no harm to disenable the messanger service as well. The less stuff you have listening, the better, even with firewalls.

    Some people just disenable the messanger service (and they dont use a firewall) and will never be borthered by "net send" since the service isnt there to respond. But experts far more knowledgable than me recommend they firewall TCP 135 as well.

    Not sure why, since with messanger service removed, Port 135 wont be listening, and I doubt even a hacker can hit a port that has no application listening.

    Still I suppose the idea is to prevent something from inside opening port 135...But if something is already "inside", you are pretty much dead anyway
     
  8. Sonic

    Sonic Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    14
    I blocked the following ports:

    UPD 135,137,138
    TCP 135,139,445

    And the messenger service spam still gets through. I guess I have no choice but to disable messenger service.

    I notice the Microsoft Knowledge Base Article - 330904 indicates the following:

    "The Messenger service uses UDP ports 135, 137, and 138; TCP ports 135, 139, and 445; and an ephemeral port number above 1024."

    I guess it is the "ephermeral port number above 1024" that is giving me trouble.

    Does anyone know anything about this "ephermeral port"? Is this why disabling messenger service seems to be the only option?

    Thanks.
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Sonic,

    Question - Are you saying that real messenger service based spam pop-ups are coming through, or are you generating test messages to see if you are vulnerable? I ask this because in your first post you said - quote: "When I test it by sending myself a message using the "net send" command, the message gets through." Your own test messages are not coming from outside your firewall, so they'd be allowed, and pop-ups would be displayed.

    If it is real spam messages coming through, then I'd have to guess that you're having a problem with either the specific syntax of the blocking rules you've setup, or, that some rule higher up in your rule list is allowing the messenger service to listen from the Internet.

    You really should to be able to block these messages with a firewall, so perhaps you should document the specific details related to the rules you are using, and their placement in the list of rules.
     
  10. Sonic

    Sonic Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    14
    LowWaterMark,

    Thanks for the post.

    Yes, the message I am talking about comes through when I send myself a message from the Command Prompt window. E.g. ..

    C:\>net send [ip address] [message]

    I assumed such a command would go outside of my computer to the internet before coming back in as a windows message. In fact, my Sygate PF traffic log suggests that such is the case. On the incoming side, the traffic log shows several blocked packets on the blocked ports, but then shows an allowed packet on a port above 1024. This is why I was assuming that it was this higher port that was giving me trouble. In fact, after doing several test, the message seems to be coming in on a higher port number, but the actual port seems to change.

    Since I can't seem to solve the problem at the firewall, I have decided to just disable the windows messenger service.
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Sonic

    I am not to sure how Sygate handles loopback traffic, but if you are just sending this to yourself on your own system, it is likely using loopback rules to accomplish this. Likely why you are seeing the allowed packets in the temp range (ephemeral ports) 1024-5000.

    If you are not going to use the service, it will not hurt anything to set it to manual. Your firewall should be blocking any requests/connection attempts to this from the outside. It just appears to be allowing it on localhost/your system.

    Regards,
    CrazyM
     
  12. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    test it from here .
    http://www.mynetwatchman.com/winpopuptester.asp

    edit: for some reason this link doesnt work when clicked on. copy and paste it into your browser.
     
  13. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi SpaceCowboy

    Thanks for the link...it worked fine for me :)

    Regards,
    CrazyM
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Sonic,

    Yes, there is a difference between testing network access from some place on the machine you are testing, and from the outside. SpaceCowboy is correct, the best way to test is via an independent external point, like myNetWatchman.

    But, since you've disabled the messenger service, this isn't really necessary - you are secure regardless!!

    Best Wishes,
    LowWaterMark
     
  15. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    he has been sent the same link at Sygates forum and has been told that the problem is with him sending it to himself.
    http://forums.sygatetech.com/showthread.php?s=&threadid=4396

    he chooses to not try the link and then posts the same problem here and wonders why the firewall cant block it. the firewall will block it from others but not from himself.

    CrazyM i think you got it right when you mentioned loopback. Sygate has a problem with loopback which will hopefully be fixed soon.

    Sonic i hope they have answered your question.

    btw CrazyM when i click on the netwatchman link that i supplied my screen just blinks. does the same thing on the link i supplied at Sygates forum. strange that it works for others but not me.
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi SpaceCowboy

    Loopback rules can be confusing at the best of times, let alone how they may or may not be implemented in different products.

    As for the link, perhaps that will remain one of lifes little mysteries ;)

    Regards,
    CrazyM
     
  17. Sonic

    Sonic Registered Member

    Joined:
    Jan 17, 2003
    Posts:
    14
    Thanks everyone for your replies. It turns out that it wasn't a problem with me sending it to myself, but in the way I had the firewall rules configured.

    I originally had a single rule blocking multiple UDP ports.
    But when I changed it to a separate rule each blocking a single UDP port, it blocked the popup.
     
Loading...
Thread Status:
Not open for further replies.