[lug] linux firewall, popup windows spam blocking

D. Stimits stimits at attbi.com
Sun Jun 22 15:19:06 MDT 2003 

Geek Boi wrote:

> On Saturday 21 June 2003 01:39 pm, D. Stimits wrote:
>
> >It seems that www.byebyeads.com is illegally violating Colorado spam
> >laws (and probably newer national laws), and fraudulently claiming on
> >their web page that their spam is legal. They seem to believe this
> >because they are using the windows pop-up message service, rather than
> >email. I know because they caused an application to crash by popping up
> >such a message while an application was loading, and somehow managed to
> >break the screenshot mechanism at the same time.
> >
> >What I'm wondering is if anyone knows what I can block on my linux
> >firewall to block popups from other networks? Are these popups UDP or
> >TCP? What port or ports are used? I already have 137:139 blocked, and
> >some others. I even have zonealarm firewall on the windows machine
> >itself, but it still allowed this popup. I'd like to totally remove this
> >remote ability via the linux end, as nothing related to security on
> >windows can be trusted.
>
>
>
> Unless you have a specific need for the windows messenger service you 
> should
> disable it on all boxen that can be reached from the internet.  On NT 
> 4.0 you
> go to control panels, services.  In 2000 you go to computer manager and
> select services in the MMC window.  This is the mechinism by which 
> they are
> spamming your windows Boxen.  I would turn it off and see if you can 
> get the
> ups to generate an error message anyway.  Most applications do not use 
> the
> messenger service to create your error messeges unless you want them to
> "popup" on a different computer.

The UPS uses this to indicate and acknowledge power changes. I want to 
block it at the bridge level that blocks it to all machines on the 
internal net, but allows it between machines on the inside. There seems 
to be some confusion on just what port/protocol will stop it, as I have 
found a tcp and udp block of ports 135, 137, 138, and 139 is 
insufficient. Broadcast or non-udp/non-tcp is being used.

D. Stimits, stimits AT attbi DOT com

More information about the LUG mailing list