Several months ago, I stopped by the office of one of my clients to perform a server health check. The client’s server farm includes a Web server that's used primarily by internal network users. Through RRAS and a small amount of subterfuge on the firewall, I permit selected users to connect to the Web server over the Internet. Because the Web server has a public internal address (10.1.1.x) and I translate external requests made to a registered address to the internal, public address, I thought the server was invisible to all but carefully screened HTTP requests. So, imagine my surprise that day when I found a message from the “Psychic Network” or some such organization in the middle of the Web server’s screen. These messages are a form of spam known as “messenger spam.” In spite of all the care I exercised in locking down the Web server (disabling nonessential services and using port redirection to mask the address of the server), I overlooked one small item--the Messenger service.
Let me clarify that this discussion concerns the native Messenger service in Windows XP, Windows 2000, and Windows NT platforms. Although Microsoft uses the term "messenger" to refer to several different incarnations of Instant Messaging (IM), the Messenger service refers here only to the native OS service, not to Windows Messenger or the MSN Messenger utilities that, in the process of supporting Internet messaging, generate endless streams of Universal Plug and Play (UPnP) traffic.
The Messenger service manages messages you configure as administrative alerts in Performance Monitor, messages that signal your print job is done, and status messages from the UPS service. Many popular antivirus programs also use the Messenger service to inform you about virus detection and prevention activities. In addition, Administrators can use the Net Send command to send a message regarding scheduled maintenance or restoration of services to an individual, a group of users, or all users in a domain. On terminal servers, the Msg command performs a similar function. Users with access to a command prompt can use the Net Send command to communicate with each other. Systems can send and receive these text-based messages only when the Messenger service is running. You can use the Net Name command to display the names your system has registered as able to receive Messenger messages; similarly, you can remove one or more of these registered names by typing
net name
or
net name
When the Messenger service isn't running, messages don't appear on the screen, and you're unaware that the message was ever sent. Because the Messenger service can't guarantee that messages will actually be received and has no message-receipt confirmation method, few sites rely on this form of communication.
So, how can you prevent unsolicited pop-up messages from appearing on your system? The easiest method is to simply stop and permanently disable the Messenger service. Depending on your system’s configuration, you might need to log on with an Administrative account to disable the service. Open Control Panel, Administrative Tools, and double-click the Services applet. Locate and double-click the Messenger service. Change the Startup type from Automatic to Disabled, and click Stop. If you stop the service and don’t adjust the startup type, the Messenger service will start automatically the next time you reboot. Keep in mind that when you disable the Messenger service, you'll no longer receive messages about an attached UPS, and you won’t be notified of print job completion, performance alerts, or antivirus activity. If you don’t rely on such messages for monitoring purposes, this alternative is fast and easy.
The more complicated method requires installing and configuring a firewall—the native Internet Connection Firewall (ICF) in XP or a third-party version for Win2K systems. This approach is the smart choice when you have a system that's directly connected to the Internet and thus is more likely to encounter messenger spam. The Messenger service uses NetBIOS (WINS) user or computer names to communicate with other systems. If your system doesn't accept incoming traffic on NetBIOS ports, the messages will never arrive, even when the Messenger service is running. Disabling inbound traffic on NetBIOS ports is standard practice because NetBIOS is highly susceptible to security breaches and intrusion activity; most firewalls disable this type of traffic automatically.
To disable receipt of messenger pop-ups, verify that your firewall disables inbound traffic on UDP ports 135, 137, and 138, and TCP ports 135 and 139. On a system connected directly to the Internet, you should also disable inbound traffic on TCP port 445. If the system you want to protect is part of a Win2K-based network with Active Directory (AD), don't block incoming traffic on port 445; the Microsoft Directory Service (DS) uses this port for directory-based communication. If you’re new to XP's ICF, the following Microsoft articles contain some good hints and tips: "HOW TO: Enable or Disable Internet Connection Firewall in Windows XP," (http://support.microsoft.com/?kbid=283673), "How to Manually Open Ports in Internet Connection Firewall in Windows XP," (http://support.microsoft.com/?kbid=308127), and "Description of the Windows XP Internet Connection Firewall" (http://support.microsoft.com/?kbid=320855).
Keep in mind that you can use the firewall approach only if your system doesn't communicate with legacy systems that rely on NetBIOS name resolution to locate machines and shared resources. If, for example, you let users running Windows 9x share your printer or scanner, when you disable inbound NetBIOS traffic, users won't be able to connect to these shared resources. Regardless of the method you choose, you can stop messenger spam.
