Hello,
Dornbierer Michael wrote:
Hello folks.
A few minutes ago I've had a customer calling
me for assistance with a new art of spam which
she received. It was a net send msgbox (Nachrichten
dienst) with a text like: Hi, remember me from the
chat last night? Now I got a picture online:
http://www.lucy.cc . Go visit.
We've received such spam a few days ago in our office
by using a Bluewin dialin port. IMHO the attack is
sending those net send messages through the
entire bluewin IP-range. The solution would be
to disable the net send services - Nachrichtendienst -
on the windows machine. However, we've a lot of
newbie customers.
My question is now: How can we fix this without
disabling the net send service on each machine
we sell?
Bluewin team, is there any way you could block such
messages?
Maybe or maybe not.
I'm glad bluewin looks itself as an ISP not an ISB (Internet Service
Blocker)
Should we block
- smb (ports 135-137)
- SNMP (as stated in other messages on this list the last days)
- SQL-Data (port 1234???) used by a worm compromising MS-SQL servers
- SMTP (many open relays)
- IRC (used for deploying trojans)
- ..
No, we shouldn't.
It would be a nice feature to let users use proxy-only Internet access
if they wish (transparent proxy)
or filter-on-demand, so our users can choose wheter bluewin blocks ports
for them
Port Assignments:
Keyword DecimalDescription
--- ------
msp 18/tcpMessage Send Protocol
msp 18/udpMessage Send Protocol
Net send uses smb (netbios or whatever) in the port range 135-139
It seem these services are using port 18 to
send the message through.
http://www.iana.org/assignments/port-numbers
Any other isp have expirience with that spam problem?
Suggestions? Objections? Flames? YAY... :)
c't had an article about the problem end of last year, maybe you find it
on http://www.heise.de
I think there is a c't FAQ with an nice description in german.
Regards,
Guido Roeskens
Bluewin Hostmaster
Bluewin AG
--
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/