General

Fighting IM Spam

ISPs look to cope with a rash of new IM-based unsolicited ads, while Microsoft works to ensure users don't blame its Windows Messenger or MSN Messenger products.

by Christopher Saunders of instantmessagingplanet.com [December 16, 2002]

ISPs are stepping up their efforts to curb a fairly recent invasion of their users' attention and privacy—pop-up spam messages.

The messages are delivered to users with open NetBIOS TCP ports and the Remote Procedure Call (RPC) service running. Intended to transmit "net send" and "Alerter" service messages—person-to-person instant messages, updates from print jobs, a broadcast announcement by a system admin, or when an uninterruptible power supply activates—the ports are open and the messaging service is active in Microsoft Windows by default. (If turned off, applications that depend on the service could malfunction, according to Microsoft.)

While the problem is solved easily enough in Windows 2000, NT, and XP—by installing a firewall, or by ignoring Microsoft's warnings to turn off NetBIOS support—it's been a vulnerability for years, in the sense that the OS has supported the messaging technology and set the ports open by default since Windows NT 3.1's release in 1992.

Spammers, however, began using the loopholes in earnest only since last year, preying on novice or careless Internet users. The spammers' software—marketed by firms including Direct Advertiser, SlySender, and RocketPipe—works by pinging the NetBIOS ports of different IP addresses, looking for Internet-connected Windows PCs that have an open port.

"It's a tool that network administrators would typically use to send out a broadcast message to users on their network," said Larry Grothaus, product manager for Microsoft's MSN Messenger. "It's been a part of the [Windows] product for a long time. Unfortunately, some of the people who generate spam on the Internet are trying to exploit it."

Some ISPs, like AT&T Broadband, already filter for the vulnerable ports at their level. Last month, the nation's largest ISP, America Online, also said it would follow suit. Other major players, like MSN, said they would look into blocking the vulnerable ports as well.

AOL said it moved on the problem in response to user complaints.

"The collaboration we have is ongoing with our members on issues relating to spam reporting is really critical ... and allows us to stay abreast of latest, greatest iterations of spam that are out there," said spokesman Nicholas Graham. "The philosophy that guides us in terms of our spam fighting is that we operate on member feedback, and when our members tell us they're getting a large number of messages from a particular site, we'll go after it. We believe that makes for a better online experience, because they'll be getting less spam."

Not surprisingly, the individuals behind the messages see the situation quite differently.

Because it's not over e-mail, "me sending my messages to you isn't spam," said one of the software products' developers, speaking on condition of anonymity. While that might be debatable, the developer went on to add that he is free from guilt, and that his product is "protected" from legal action from ISPs and consumers.

"They've made a decision to leave those ports open ... [and] because ultimately, I'm not responsible for [his customers'] actions, although I have notices in my literature encouraging them to not send spam," he said.

The problem is particularly prickly for Microsoft, which is working to ensure that consumers understand the origin of the messages and can close the open ports. If consumers are uncertain about where the messages originate, they could wind up uninstalling Windows Messenger or MSN Messenger in trying to stop them.

Indeed, the controversial service is unrelated to both of those products, which are central to Microsoft's messaging strategy. Instead, the NetBIOS spam feature seems easily confused with the other services (not to mention the .NET Messenger Service, which users must log into for Internet instant messaging via MSN Messenger) because its messages pop-up with the title "Messenger Service."

As a result, spammed Web users have posted numerous messages in Microsoft's public forum asking how to disable Windows Messenger.

"It's kind of sticky in terms of making sure people know what is actually delivering the messages," said MSN's Grothaus. "We're just trying to let people know it's not associated with Windows Messenger or the .NET Messenger Service, and ... that there are some pretty easy ways to block it and that it's not malicious."

While maintaining that the risk, beyond annoyance, is generally low for users, Microsoft does warn on its site that a user might be able to use the NetBIOS connection to consumers' computer to access stored information, initiate a denial of service attack, or appropriate space on the PC's hard drive.

—End