ISPs are asked to block yet another port
Tony Rall
trall at almaden.ibm.com
Mon Jun 23 06:16:50 UTC 2003
On Monday, 2003-06-23 at 01:59 AST, Sean Donelan <sean at donelan.com> wrote:
> http://www.lurhq.com/popup_spam.html
>
> "LURHQ Corporation has observed traffic to large blocks of IP addresses
on
> udp port 1026. This traffic started around June 18, 2003 and has been
> constant since that time. LURHQ analysts have determined that the source
> of the traffic is spammers who have discovered that the Windows
Messenger
> service listens for connections on port 1026 as well as the more
> widely-known port 135. Windows Messenger has been a target for spammers
> since late last year, because it allows anonymous pop-up messages to be
> displayed on any Windows system running the messenger service. Due to
> widespread abuse, many ISPs have moved to block inbound traffic on udp
> port 135. It appears the spammers have adapted, so ISPs are urged to
block
> udp port 1026 inbound as well."
>
>
> How many ports should ISPs block? People still buy and connect insecure
> computers to the net.
Good point. In this case, stateless blocking of traffic to 1026/udp will
block several per cent of the responses to dns queries (in addition to
substantial other legitimate traffic). This is a denial of service for
your own customers.
Tony Rall
More information about the NANOG
mailing list