In-Reply-To: <[EMAIL PROTECTED]> Thank you to those who took the time to provide some advice. On some further research I have discovered an answer to my question which I believe many on this list may find of interest [below]. > >The gateway host of my small workgroup has just become >a 'victim' of the recent spate of SPAM using the >NetBIOS Messenger Service. However, I'm seeking advice >on how it managed to get through what I thought was a >reasonably secure gateway. > [snip] > >I have ZoneAlarm Pro installed on the gateway, which >allows NetBIOS traffic over the 192.168.0.0/24 subnet >but rejects NetBIOS traffic from any other IP. This >rule is explicitly defined in the ZA Pro configuration, >and appears to be working as the ZA Pro logs are full >of rejected packets from internet IPs attempting to >access NetBIOS ports on the host. > As it turns out, the SPAM was not using NetBIOS at all but rather coming through a RPC endpoint on udp/135 which is mapped by the Windows 2000 Services and Controller app (SERVICES.EXE). A detailed comparison of the two methods used by the Messenger Service is given at http://mynetwatchman.com/kb/security/articles/popupspam/netsend.htm . So as it turns out, this was a misconfiguration of ZA Pro on my behalf, and in a way I'm happy this has happened as it has alerted me to the fact that I had some services installed on my gateway which were wide open to accepting traffic from the internet. Given that I'm sure I'm not the only one in this boat, I will repeat the advice given at the above resource: "Users with personal firewalls need to exercise extreme care when granting permissions to RPC-related executables (e.g. svchost.exe or services.exe ). If you mistakenly give these applications full 'server' rights, then you may be susceptable to Messenger SPAM."
