Messenger Service, Stop Messenger Spam, Stop Spam, Spam Filter

Stop Messenger
Spam 1.0 Released

Background Information

Messenger Service:

The messenger service transmits "net send" and Alerter messenger service messages between clients and servers. This messenger service is not related to Windows Messenger Service. If this messenger service is stopped, Alerter messages will not be transmitted. If this messenger service is disabled, any services that explicitly depend on it will fail to start.

What is this messenger service and why is it spam?

The easiest way to explain the messenger service is to show you the ethical and non-ethical ways of using the messenger service. The ethical use turns the messenger service into a handy tool for system administrators. They can monitor servers and send out status pop-ups if a problem occurs. See an example by clicking here.

The non-ethical use of the messenger service turns it into an untraceable spam tool. As you can see in this example, the sender has changed the computer name to "VirusScan." This fools the end user into believing it is a message from his or her antivirus program. The message also refers the user to a website, and as you can probably guess, it's not an antivirus website.

The problem here is that anyone can send messages though the messenger service, not just system administrators. The command to send a message is called "net send" and can be executed from the command prompt with the following syntax.

The Windows Messenger service allows programs to inform a computer's operator of an event. For example, printer software may use it to pop up print job status and anti-virus software may use it to pop up virus warnings. The trouble lies in that it also allows programs running on other computers to do the same thing without any restrictions or authentication. While this may be useful in some environments, it is also easily exploited and abused.

Why people waited until now to start exploiting the feature is not known. It has been available since Windows NT and is enabled on every shipping Windows 2000 and XP computer. Perhaps nobody until now has discovered how to be so rude.

Several people have suggested that the recipients of these messages are at fault for not having a firewall. This suggests that the Messenger service is inappropriate, unreliable, or unsafe in some way making its exposure to a network risky. One has to wonder why network access to such a service is enabled by default on every shipping Windows computer when a large percentage of them will almost assuredly be connected to the Internet...many as "personal" computers.

Computers shipping with unnecessary services having open door networks have been causing harm on the Internet for some time. Several of these services have been found to have serious security defects. This results in systems that are freshly installed from CDs being vulnerable as soon as they are connected to the network. Some are exploited within minutes.

While, at present, no such defects in the Messenger service are known to exist, the current harassment activity should be lesson enough for all vendors. Don't ship systems with unnecessary network doors open. Particularly on consumer computers.

The Center For Internet Security recommends disabling the Messenger service in its Windows 2000 Level I and Level II benchmarks.