Don't know if this is related to spam or not... This morning I logged onto the NT4 server where we
host both our web and mail server. Immediately noticed a Messenger Service box (like you get with
"net send" from dos prompt) containing a typical spam message (edited): "From our Research Dept ...
Work From Home ... Type this address in your browser ..."
This is what some people are calling "pop-up ads" (which unfortunately is exactly the same term used for new web browser windows that "pop up").
This should only be possible for the spammer to accomplish if you are not running a firewall (or have one set up so that anyone can access ports 137/138/139).
First I went into the Task Manager where confirmed it really was the Messenger Service (csrss) being
used. Then I made sure the service executable had not been modified. Then I ran F-Prot to make sure
there were no known viruses. Then I ran a tracert on the IP address mentioned in the spam. Then I
checked the event log, but didn't have any relevant entries. Then I ran a recent Critical Update
from the Microsoft site, just in case it applied to what I was seeing. I rebooted and the message is
gone, but I don't know how they got in. There are only a few accounts on this server. IUSR and IWAM,
administrator, myself and my boss, and a special account for FTP access. Any ideas?
No virus, no vulnerability, no funny stuff. Just a firewall that isn't doing its job. Those messages can *only* be sent if the Internet can send NetBIOS messages to your computers (which normally should *not* be allowed).
-Scott
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
