http://www.lurhq.com/popup_spam.html
"LURHQ Corporation has observed traffic to large blocks of IP addresses on
udp port 1026. This traffic started around June 18, 2003 and has been
constant since that time. LURHQ analysts have determined that the source
of the traffic is spammers who have discovered that the Windows Messenger
service listens for connections on port 1026 as well as the more
widely-known port 135. Windows Messenger has been a target for spammers
since late last year, because it allows anonymous pop-up messages to be
displayed on any Windows system running the messenger service. Due to
widespread abuse, many ISPs have moved to block inbound traffic on udp
port 135. It appears the spammers have adapted, so ISPs are urged to block
udp port 1026 inbound as well."
How many ports should ISPs block? People still buy and connect insecure
computers to the net.
http://www.lurhq.com/popup_spam.html
"LURHQ Corporation has observed traffic to large blocks of IP addresses
on
udp port 1026. This traffic started around June 18, 2003 and has been
constant since that time. LURHQ analysts have determined that the source
of the traffic is spammers who have discovered that the Windows
Messenger
service listens for connections on port 1026 as well as the more
widely-known port 135. Windows Messenger has been a target for spammers
since late last year, because it allows anonymous pop-up messages to be
displayed on any Windows system running the messenger service. Due to
widespread abuse, many ISPs have moved to block inbound traffic on udp
port 135. It appears the spammers have adapted, so ISPs are urged to
block
udp port 1026 inbound as well."
How many ports should ISPs block? People still buy and connect insecure
computers to the net.
Good point. In this case, stateless blocking of traffic to 1026/udp will
block several per cent of the responses to dns queries (in addition to
substantial other legitimate traffic). This is a denial of service for
your own customers.
Tony Rall
The description by LURHQ is misleading. Messenger is an RPC service. Typical pop-up spammers queried 135 (Windows RPC portmapper) to find the port number of the messenger service, then send the message to that port. It turns out that messenger can "typically" be found on 1026.
And as was noted earlier, unconditionally blocking udp/1026 will cause
a lot of collateral damage when udp/1026 outbound is used as an ephemeral port for a legitimate UDP-based service (DNS, NTP, etc).
Jeff
It's been a long time since I did any substantial BSD-socket coding, but, back in the day, when you asked for socket 0 in a bind call, the OS would just pick one. The first (unused) one chosen would be 1024, then incrementally pick the next up to some limit where it would then circle around. Most clients (incl. DNS resolvers) would ask for port 0, so, well, y'all can predict the result if you were to filter any of the "user space" ports.
Sean Donelan wrote:
http://www.lurhq.com/popup_spam.html
"LURHQ Corporation has observed traffic to large blocks of IP addresses on
udp port 1026. [...]
I haven't (yet) seen any scans of port 1026, but looking at my (home)
logs I have seen several with a fixed source port of 1026 (destination
of 137). Heh.
Peter E. Fry
ISP's could block all ports and save everyone the hassle of having an
Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt
2) default insecure OS installs cause problems
Not new points, but interesting none-the-less. Spammers have adapted quite
quickly and readily to almost all 'fixes' imposed by providers and most
default OS installs are insecure still after all this time. With notable
exceptions most OS installs are still tailored for closed network
installs, lots of never to be used ports listening with old versions of
daemon's installed 
I think that many can learn from this.
Instead of defaulting with everything enabled, default with the
services installed but disabled so they can be easily enabled. This
is fairly easy to do and something that has gradually changed in the
free UNIX(r) community over the past years.
RedHat (for example) no longer enables every possible service
by default and requires you to enable these features to protect your
machine from being compromised by software you didn't know you had.
Not every machine needs to run its own nameserver.
While there are some services that are safe(er) to have enabled
by default as it improves the usability of the machine, some of
these things are just silly to be enabled on consumer (home) machines.
I hope all the vendors out there get a clue on this and stop
enabling insecure methods of access by default. (eg: telnet)
- Jared
chris@UU.NET ("Christopher L. Morrow") writes:
ISP's could block all ports and save everyone the hassle of having an
Internet.... (I am just kidding of course)
Two interesting points though:
1) Spammers adapt
2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm.
take for example port-25 blocking. i've been getting relayprobed all
weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
by sending their SYN's through a provider who shall remain nameless
(except that chris morrow happens to work there :-)) using at&t IP
source addresses. i guess they multihomed their host and bind()'d the
outbound socket to one interface even while making sure the routing
used a different interface. high rocket science? NOT.
so if you're going to block tcp/25 SYNs on outbound, please make sure
you block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
3) thoughtless reactionism at isp's does little good and sometimes some harm.
take for example port-25 blocking. i've been getting relayprobed all
weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
by sending their SYN's through a provider who shall remain nameless
...
so if you're going to block tcp/25 SYNs on outbound, please make sure
you block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
We used to provide dial-up ports to a large cut-rate dial provider who I'm
not going to name. Their reaction to such games was to send in their
radius auth packets data filters to block both outgoing to port 25 and
incoming from port 25.
There's nothing silly about restricting use of tcp/25 for dial-ups and
other dynamics...you just have to do it right to be 100% effective.
chris@UU.NET ("Christopher L. Morrow") writes:
> ISP's could block all ports and save everyone the hassle of having an
> Internet.... (I am just kidding of course)
>
> Two interesting points though:
>
> 1) Spammers adapt
> 2) default insecure OS installs cause problems
3) thoughtless reactionism at isp's does little good and sometimes some harm.
indeed it does... breaking the network with acls often gets me in trouble
Really, there are always better solutions than mass filtering something
like this.
take for example port-25 blocking. i've been getting relayprobed all
weekend by someone who gets around outbound at&t's tcp/25 SYN blocking
by sending their SYN's through a provider who shall remain nameless
(except that chris morrow happens to work there :-)) using at&t IP
source addresses. i guess they multihomed their host and bind()'d the
outbound socket to one interface even while making sure the routing
used a different interface. high rocket science? NOT.
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix
for it, port 25 in and out filtering for radius customers. The 'problem'
as I understand it, is that the change would be a contract change so it
has to wait for expiration of said contract to be enforced... 
Its a
sucky world sometimes. Perhaps Paul complained to
ATT/<other-unnamed-provider> with logs and such?
so if you're going to block tcp/25 SYNs on outbound, please make sure
you block SYN/ACK's on input too, or else you just give the spammers a
little more work to do instead of a lot more work to do.
Yup, this is in the works also... and yes, someone realized quickly enough
that the one-way filtering was dumb. oh well. live and learn!
Christopher L. Morrow wrote:
This is what our, atleast, abuse team calls 'fantasy mail'. There is a fix
for it, port 25 in and out filtering for radius customers. The 'problem'
as I understand it, is that the change would be a contract change so it
has to wait for expiration of said contract to be enforced... Its a
sucky world sometimes. Perhaps Paul complained to
ATT/<other-unnamed-provider> with logs and such?
There is another fix for it. If neither provider allowed spoofing, then the individual couldn't send spoofed packets out one way and allow the syn/ack back via the other. Of course, there are better reasons for spoof protection ingress/egress than a little port 25 traffic.
-Jack
jbates@brightok.net (Jack Bates) writes:
There is another fix for it. If neither provider allowed spoofing, then
the individual couldn't send spoofed packets out one way and allow the
syn/ack back via the other. Of course, there are better reasons for
spoof protection ingress/egress than a little port 25 traffic.
until the larger isp's start writing BCP38 conformance into both their
peering agreements AND their customer agreements, we're not going to see
any improvements in source address authenticity. see also ICANN SAC004
(http://www.icann.org/committees/security/sac004.txt).
* chris@UU.NET (Christopher L. Morrow) [Mon 23 Jun 2003, 18:01 CEST]:
[..]
Two interesting points though:
1) Spammers adapt
2) default insecure OS installs cause problems
Employees of XS4ALL, a Dutch ISP, today held several talks about a
variety of subjects for its customers to celebrate its 10th anniversary.
One of the talks was about security in general, held by Scott McIntyre.
Hopefully he'll have the slides on soon because it was an excellent
talk, in which he touched upon several subjects mentioned in this thread
(spammers, trojans, viruses, default installations being vulnerable,
that port blocking is not a solution at all).
I'll post a URL when it becomes available.
Regards,
-- Niels.
Sweet, too many people just don't take security very seriously Its a
shame really, security only seems to matter when the sky is falling, its
not taken as a daily necessity.
-Chris