The issue with this service was spam, rather than malware per se, I believe.
However, spam can include malicious URLs--but I think this is a pure text
service, and the urls would not be clickable--but it has been a long time
since I saw a message sent via this mechanism.
Microsoft's security auditing tools --MBSA 2.1, for example, I believe
continue to recommend disabling this service. On the other hand, I know
that tools from, for example, Dell and APC and various backup vendors
continue to provide tools using such broadcasts to let users or admins know
of alerts of various sorts.
My own sense of this is that the service is not a security vulnerability,
except in the sense that spam might be such.
If your network is properly firewalled at the perimeter you should not see
messenger spam from the Internet.
This article has a good description of the issue:
http://www.spywareguide.com/txt_messengerspam.php
The ports used by this service should not be open to the outside world. If
they are, you have much bigger problems than just messenger spam.
So, although my own kneejerk reaction is to keep this service disabled, I
think that may be unnecessary in properly protected networks these days.
The ports needed should not be open even in the least expensive home router,
This was an issue quite a while ago, and networking was quite different
then--the home nat/router devices that are ubiquitous now were rare then.
The software allowing you to generate such spam is probably still out there,
and there were situations in networks where the spam was generated in-house.
This could happen again.
As with many details of security, it is a balancing act. I have some
sympathy with the need for admins to be able to use such broadcasts.
There was also third-party software written to replace this mechanism--some
with cost, some freeware. I don't recall the names of any of these
packages, and haven't researched them lately.
The search term I used to Google up the citation above was "messenger
service spam" I suspect that a search on "messenger service replacement"
might yield some links.
Thanks for the trip down memory lane--I think this is indeed a relevant
question even now. I think I'll go look at my Server 2008 install and see
if the messenger service is in there. I suspect it will be, but disabled by
default.
