Yep. I know it's *similar* to 'net send'. The thing is that 'net send' typically starts off by trying to use port 139, connecting to the <03> NetBIOS name.
>From other messages I have received, I also understand that there is an MS-RPC call that handle's messaging. The spammers are using this RPC call because most folks know to block port 139. We have not had trouble with these pop-up messages where I work because we have been blocking port 135 for a while now. Thanks! Chris -)----- On Tue, Oct 29, 2002 at 12:19:50PM -0000, Gareth Davies wrote: > ---- Original Message ----- > From: "Christopher R. Hertel" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, October 28, 2002 10:24 PM > Subject: RPC message service? > > > > A curious article: > > > > http://www.wired.com/news/technology/0,1282,55795,00.html > > > > It says that the Messenger Service Spammers are using port 135, which > > means that they're not using regular WinPOPUP stuff (the <03> names on > > port 139). I do, in fact, see connect attempts to port 135 in my home > > firewall logs. (I think they should be called slimewalls.) > > > > I'm guessing that they're doing something RPC-related that has, basically, > > the same effect. I'm just curious to know what it is... > <snip> > > They are they are using Windows messenger.. > > net send <ip address> "message goes here" > > AFAIK > > Shaolin - IT Systems > WB Ltd. > .: http://www.security-forums.com :. > -- Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- [EMAIL PROTECTED] OnLineBook -- http://ubiqx.org/cifs/ -)----- [EMAIL PROTECTED]