Of the articles to be published so far, this one is perhaps the most misleading one I've read so far. It would seem Mr. Rose didn't even bother to read some of the messages that were posted w/ regards to this messenger spam...or he's simply focusing on a single aspect of it. Many of the posts to this list have clearly shown that this "messenger spam" is not, in fact, coming in over TCP port 139 (as works w/ 'net send' and the use of the NetMessageBufferSend() API)...rather, it's coming in over DCOM/RPC, and is initiated w/ a UDP query to port 135, the portmapper. By focusing on TCP port 139 in this instance, Mr. Rose's readers will certainly prevent the traditional, 'net send' methods of spamming from working...however, blocking that port will do nothing to protect the readers from tools such as is available from DirectAdvertiser.com. Carv --- Rob Keown <Keownat_private> wrote: > Here is another article: > http://www.techtv.com/screensavers/answerstips/story/0,24330,3374542,00.html > > -----Original Message----- > From: Ron Trenka [mailto:ronat_private] > Sent: Wednesday, October 16, 2002 10:40 AM > To: incidentsat_private > Subject: Re: Source of Windows PopUp SPAM > > > on 10/15/02 12:29 PM, Lawrence Baldwin at > baldwinLat_private wrote: > > > We've identified a commercial, Windows-based SPAM > package which sends SPAM > > via popups (all for $699). > > I've confirmed that this particular package (which > I can't name, yet..) > > sends popups via MS RPC. > > I suspect this package is running on these Linux > systems under VMWARE > > emulated Windows sessions. > > > > What is also interesting is that some users, > despite running personal > > firewalls, are still reporting getting these > popups. This probably > explains > > the developers choice to use MS RPC (udp/135) for > delivery instead of a > > straight Netbios SMB call (tcp/139). MS RPC would > be less overhead, but > > also has the potential to reach more people as > even those with firewalls > are > > often giving 'svchost.exe' server priviledges > because they assume it's > > necessary: > > > > > http://www.dslreports.com/forum/remark,4718327~root=security,1~mode=flat > > Anyone have a way to disable this on W2K and NT 4.0 > servers? > > *********************************************************** > * Ron Trenka | "You do not need a > parachute * > * Zowie Digital Media | to skydive. You only > need a * > * www.zowiedigital.com | parachute to skydive > twice." * > * ronat_private | > www.DarwinAwards.com * > * (212) 627-4991 x22 | > * > *********************************************************** > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 10:06:13 PDT