Update: Messenger Spam

[Lawrence Baldwin]

I spent a good amount of time updating my documentation the the blasted
Messenger Spam phenom:

http://www.mynetwatchman.com/kb/security/articles/popupspam/index.htm

Psloss was also good enough to update our WinPopUP tester to include the new
ports the blasted spammers are jamming these messages to: udp/1026-1029 as a
result of udp/135 filtering by most ISPs.

We've also customized the messages that we send to include the port number
that the message was sent on, this way you know exactly how this spam is
getting through (if it's getting through).

If you know someone grappling with this problem, I hope this helps.

I've also been doing deeper research on this, ironically 90% of the
messenger spam I see on my Comcast IP is promoting products to block
messenger spam...what I initially though was 10-20 different
companies/products really appears to be 3-4 compaines using a wide variety
of names (e.g. messagestop.net, messengerbegone.com, destroyads.com,
directadstopper.com, messengerdestroyer.com, endads.com,
defeatmessenger.com, messagebasher.com, broadcastblocker.com,
messengerstopper.com, etc..) to advertise just 3-4 unique products....and
many of those seem to corelate back to PO boxes in San Diego, CA...so I
suspect the true number of companies may even be smaller.

Enjoy.

Lawrence Baldwin
myNetWatchman.com
+1.678.624.0924

 

[David]

It never ceases to amaze me to what lengths advertisers will go to get their
messages read...or should I say deleted. Maybe someday they will realize
that their profits are decreasing because their aggressive tactics have
forced the consumer to delete them with anti spam software, filter them with
web proxies, and bypass them with TiVo. Someone needs to write a program
that registers itself as the messenger service with the port mapper, yet
responds with a DOS attack to the offending spammers

 

[Bill Carton - (The Roadie)]

I spent a good amount of time updating my documentation the the blasted
Messenger Spam phenom:

http://www.mynetwatchman.com/kb/security/articles/popupspam/index.htm

I've also been doing deeper research on this, ironically 90% of the
messenger spam I see on my Comcast IP is promoting products to block
messenger spam...what I initially though was 10-20 different
companies/products really appears to be 3-4 compaines using a wide variety
of names (e.g. messagestop.net, messengerbegone.com, destroyads.com,
directadstopper.com, messengerdestroyer.com, endads.com,
defeatmessenger.com, messagebasher.com, broadcastblocker.com,
messengerstopper.com, etc..) to advertise just 3-4 unique products....and
many of those seem to corelate back to PO boxes in San Diego, CA...so I
suspect the true number of companies may even be smaller.

For more research on the San Diego connection, see
http://www.popupspamsucks.com/d-squared-solutions.html

 

[Steve M (remove wax for reply)]

It never ceases to amaze me to what lengths advertisers will go to get their
messages read...or should I say deleted. Maybe someday they will realize
that their profits are decreasing because their aggressive tactics have
forced the consumer to delete them with anti spam software, filter them with
web proxies, and bypass them with TiVo. Someone needs to write a program
that registers itself as the messenger service with the port mapper, yet
responds with a DOS attack to the offending spammers

I'd think about using it. Not just on pop-up spammers.

I got mailbombed yesterday, at least 8 different zombie machines
sending variations on the same gibberish email.

If spammers / virus writers can do that, what could a network of
distributed spammer-harassers do?

 

[Chuck]

I spent a good amount of time updating my documentation the the blasted
Messenger Spam phenom:

http://www.mynetwatchman.com/kb/security/articles/popupspam/index.htm

A very insightful document. Disturbing, too.

"Unfortunately (like many other Microsoft services), although the
Messenger service is intended to be used only on the local LAN, if you
connect a system to the Internet, without any firewall protections,
anyone on the Internet can transmit a Messenger popup to your system."

Get a firewall. Please. For everybody's sake. This is only a minor
example of what you subject yourself to, without one.


Chuck
(e-mail address removed)
Spam sucks - PLEASE get rid of the spam before emailing me!
Trusted Computing? Right! http://www.againsttcpa.com/
WHAT IS THE CBDTPA? http://www.stoppoliceware.org/

 

[Guest]

| >
| > I've also been doing deeper research on this, ironically 90% of the
| > messenger spam I see on my Comcast IP is promoting products to block
| > messenger spam...what I initially though was 10-20 different
| > companies/products really appears to be 3-4 compaines using a wide
variety
| > of names (e.g. messagestop.net, messengerbegone.com, destroyads.com,
| > directadstopper.com, messengerdestroyer.com, endads.com,
| > defeatmessenger.com, messagebasher.com, broadcastblocker.com,
| > messengerstopper.com, etc..) to advertise just 3-4 unique
products....and
| > many of those seem to corelate back to PO boxes in San Diego, CA...so I
| > suspect the true number of companies may even be smaller.
| >
| > Enjoy.
| >
| > Lawrence Baldwin
| > myNetWatchman.com
| > +1.678.624.0924
| >
| It never ceases to amaze me to what lengths advertisers will go to get
their
| messages read...
|

It never ceases to amaze me that apparently people buy spam-stoppers from
people who use that very same spam to promote the products!


SB

 

[Greenfrog]

I spent a good amount of time updating my documentation the the blasted
Messenger Spam phenom:

http://www.mynetwatchman.com/kb/security/articles/popupspam/index.htm

Psloss was also good enough to update our WinPopUP tester to include the new
ports the blasted spammers are jamming these messages to: udp/1026-1029 as a
result of udp/135 filtering by most ISPs.

Just got endads.com et.al nuked. Take some packet dumps or at least
the text and forward them to: (e-mail address removed) and (e-mail address removed). If you
want escalate things, try also (e-mail address removed), (e-mail address removed),
(e-mail address removed), (e-mail address removed), (e-mail address removed). I also show
them using Alternet ([email protected]) and Cogent ([email protected]) using
various traces. If RNC doesn't wake, their connectivity providers will
if they get enough complaints.

 

[Quaestor]

It never ceases to amaze me to what lengths advertisers will go to get their

Who are you talking to?

--
_______ _______ _______ _______ _______ _______ _______

This is your brain. *shows a pea*
This is your brain when spamming. *smashes pea*
Any questions?
_______ _______ _______ _______ _______ _______ _______

 

[David J. Grabiner]

I spent a good amount of time updating my documentation the the blasted
Messenger Spam phenom:

http://www.mynetwatchman.com/kb/security/articles/popupspam/index.htm

Interesting. Microsoft explains how to block these with a firewall, and
which ports to close, but doesn't discuss the obvious step of turning
off Messenger.

Psloss was also good enough to update our WinPopUP tester to include the new
ports the blasted spammers are jamming these messages to: udp/1026-1029 as a
result of udp/135 filtering by most ISPs.

And by firewalls; I closed the ports that Microsoft said to close but it
still didn't block all the spam.

 

[derek / nul]

Interesting. Microsoft explains how to block these with a firewall, and
which ports to close, but doesn't discuss the obvious step of turning
off Messenger.


And by firewalls; I closed the ports that Microsoft said to close but it
still didn't block all the spam.

You seem to be going about it from the wrong direction.

BLOCK ALL PORTS

Then open what you need.

 

[DaveW]

So what does it take to get ISP's on RBL the same way spam friendly
email/web host get RBL?

http://www.popupspamsucks.com/d-squared-solutions.html identifies
NH-CABLE-COM-CN Network. (210.5.22.10, 210.5.22.11, 210.5.22.17
210.5.22.18, 210.5.22.19, 210.5.22.20, 210.5.22.21, 210.5.22.22,
210.5.22.23) as a major source of this spam, and my own very incomplete
records (+ sample packet captures to verify spam)
(156 incidents 8/13/2003 - 9/11/2003 210.5.22.10 dst port 1026 UDP)
( 27 incidents 9/08/2003 - 9/11/2003 210.5.22.10 dst port 1027 UDP)
would backup those findings.

http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?IncidentId=30690977
documents the unresponsiveness of this network to LART's and it's worthiness of RBL.

level3.net is another that could use a wakeup call.
(93 records 7/26/2003 - 9/12/2003 64.156.39.12:666 <==(trade mark) dst port 1026 UDP
http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?IncidentId=37592346

Crime will not go away if you ignore it or put bars on your doors and windows to keep it out.
Neither will spam.

 

[Crosscut]

It never ceases to amaze me to what lengths advertisers will go to get their
messages read...or should I say deleted. Maybe someday they will realize
that their profits are decreasing because their aggressive tactics have
forced the consumer to delete them with anti spam software, filter them with
web proxies, and bypass them with TiVo. Someone needs to write a program
that registers itself as the messenger service with the port mapper, yet
responds with a DOS attack to the offending spammers

1. A defense is not an attack.

2. A "reciprocal advertisment" is not unsolicited, nor is it an attack.

Thus spracht Pandora.

 

[Lawrence Baldwin]

level3.net is another that could use a wakeup call.

(93 records 7/26/2003 - 9/12/2003 64.156.39.12:666 <==(trade mark) dst port 1026 UDP

http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?Incident
Id=37592346

I actually spoke to a L3 security person on this one...the traffic isn't
actually originating from Level 3...this is a confirmed case of *spoofed*
Messenger spam...it's driving them crazy as they are receiving over 400
complaints/month on this IP alone and there's nothing they can do about it.

Lawwrence Baldwin
myNetWatchman.com

 

[Guest]

http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?Inc
ident Id=37592346

I actually spoke to a L3 security person on this one...the traffic
isn't actually originating from Level 3...this is a confirmed case of
*spoofed* Messenger spam...it's driving them crazy as they are
receiving over 400 complaints/month on this IP alone and there's
nothing they can do about it.

Couldn't happen to a more deserving spam-support service.

No sympathy here.

 

[DaveW]

http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?Incident
Id=37592346

I actually spoke to a L3 security person on this one...the traffic isn't
actually originating from Level 3...this is a confirmed case of *spoofed*
Messenger spam...it's driving them crazy as they are receiving over 400
complaints/month on this IP alone and there's nothing they can do about it.

I am still not convinced that the IP can be or is in this case spoofed.
The records show that this spam is likely spewed continuously 24/7.
If it were true that "there's nothing they can do about it" then we wouldn't be
having this conversation because the internet would have been long ago rendered
unusable due to traffic generated by IP spoofing virus/worms, IP spoofed spam and
DDoS attacks.

I think the real problem is that 400 complaints/month can be ignored.

 

[Dave Platt]

I actually spoke to a L3 security person on this one...the traffic isn't
actually originating from Level 3...this is a confirmed case of *spoofed*
Messenger spam...it's driving them crazy as they are receiving over 400
complaints/month on this IP alone and there's nothing they can do about it.

[/QUOTE]

I am still not convinced that the IP can be or is in this case spoofed.
The records show that this spam is likely spewed continuously 24/7.
If it were true that "there's nothing they can do about it" then we wouldn't be
having this conversation because the internet would have been long ago rendered
unusable due to traffic generated by IP spoofing virus/worms, IP spoofed
spam and DDoS attacks.

My recollection is that the MS Messenger service uses UDP, in a
single-casting mode - the sender simply transmits one packet
containing the message to the destination IP address. There is no
need for a response of any sort from the recipient - no feedback, no
loop-closing.

Protocols such as this *are* trivially vulnerable to IP spoofing. If
the spoofer is using an ISP which does not have IP-spoof protection on
their customer-side routers/gateways, it's quite easy to generate
spoofed UDP/IP traffic. There simply isn't a good technical method
for the _true_ owner of the spoofed IP address to prevent this, since
the spoofed UDP packets never touch their networks, and any
"unreachable" ICMP packets which might come back from the attacked
system(s) don't contain any routing history to show where the spoofed
packets originated.

In theory, UDP/IP packet spoofing of this sort _might_ be used by a
worm, if the worm's propagation method didn't require a two-way
connection between the attacking system and the attacked system.

This sort of IP spoofing cannot be used with protocols based on TCP
(such as SMTP) because TCP requires two-way packet flow. [There are
certain special-case exceptions involving older TCP stacks with
predictable TCP packet sequence number behavior, but these ought to be
rare these days.]

As to whether this particular Messenger spam is in fact using spoofed
IP addresses, or whether L3 is mis-stating the situation, I have no
idea.

 

[David]

If you sniff the packets they are from spammers exploiting the messenger
service to sell software that blocks the messenger service spam. I even saw
one which offers free software but if you look at the EULA on the website it
is the same as what you would see attached to spyware. You would have to
have the stones to actually install this stuff and track it from behind a
proxy or do some sniffing to see what they are actually trying to pull. Not
something I'm willing to do. Anyhow it looks a lot like racketeering to me,
actually just more along the lines of deceptive trade practices. Then again
there are plenty of lawyers in the world who would call it legitimate
advertising.

The application data of the packets has the DNS addresses of the websites
which are in one way or another obviously related to this, whether the
origin IP address is being spoofed or not. I suspect it is spoofed because
although some of the websites are definitely related to each other, they
don't all appear to be.

It's quite easy to get the information about who is responsible for these
websites and which ISP's are hosting them. The question is whether it is
worth the effort to try to get them shut down.