Re: ISPs are asked to block yet another port

[Tony Rall <trall () almaden ibm com>]

On Monday, 2003-06-23 at 01:59 AST, Sean Donelan <sean () donelan com> wrote:
> http://www.lurhq.com/popup_spam.html
>
> "LURHQ Corporation has observed traffic to large blocks of IP addresses 
on
> udp port 1026. This traffic started around June 18, 2003 and has been
> constant since that time. LURHQ analysts have determined that the source
> of the traffic is spammers who have discovered that the Windows 
Messenger
> service listens for connections on port 1026 as well as the more
> widely-known port 135. Windows Messenger has been a target for spammers
> since late last year, because it allows anonymous pop-up messages to be
> displayed on any Windows system running the messenger service. Due to
> widespread abuse, many ISPs have moved to block inbound traffic on udp
> port 135. It appears the spammers have adapted, so ISPs are urged to 
block
> udp port 1026 inbound as well."
>
>
> How many ports should ISPs block?  People still buy and connect insecure
> computers to the net.

Good point.  In this case, stateless blocking of traffic to 1026/udp will 
block several per cent of the responses to dns queries (in addition to 
substantial other legitimate traffic).  This is a denial of service for 
your own customers.

Tony Rall