[59271] in North American Network Operators' Group
Re: ISPs are asked to block yet another port
daemon@ATHENA.MIT.EDU (Jeff Kell)
Mon Jun 23 03:16:24 2003
Date: Mon, 23 Jun 2003 02:58:56 -0400
From: Jeff Kell <jeff-kell@utc.edu>
To: nanog list <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
The description by LURHQ is misleading. Messenger is an RPC service.
Typical pop-up spammers queried 135 (Windows RPC portmapper) to find the
port number of the messenger service, then send the message to that
port. It turns out that messenger can "typically" be found on 1026.
And as was noted earlier, unconditionally blocking udp/1026 will cause
a lot of collateral damage when udp/1026 outbound is used as an
ephemeral port for a legitimate UDP-based service (DNS, NTP, etc).
Jeff
