Messenger advertisements are annoying

After reading the newbie guidelines and tutorials I’m a bit paranoid to ask my first question.

Well here goes: -

It’s about spamming programs that use the net send command: -

Is it possible to find out the ip address from the sender or am I missing something obvious?

I know you can disable the messenger service to stop these but that’s not the point. I can’t seem to find any info about tracing the ip from the source. On the message it only displays the ‘so called’ host name and message. I am trying to find out the ip of the source. I believe there are programs out there that manage mass messaging, that are supposed to give out a bogus pc id and ip. Although there are quite a few arguments in the forums about anonymity on the internet most that I have read say tracing is always possible.

There seem so many different network monitoring tools out there. Can someone recommend a good one for me to start with?

Thanks in advance.

Why not log all incoming on port 139?
there are a lot of programs wich displays/log what and when, when it comes to ports...
Active Ports, does not have a log, but displays nice stats ;)

yes it is possible to trace if you have something to go on and like Vigge said there are many programs out their that log traffic. its also a fact that you should have a firewall. so get something like zonealarm.

I would say that you are best off to just uninstall MSN Messenger.

If you are running Windows XP, Messenger can be easily uninstalled by running the following command, from Start and then Run:


RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\msmsgs.inf,BLC.Remove

You will also need to disable the Messenger Service.
You may also want to refer to the following website:

Stop Messenger Spam, windows MSN pop-up spam

Would using Trillian help?

This isnt about MSN Messenger, this has to do with the Net Send (Alerter) command on windows systems.
Example: c:\net send ip-addy message.

shot_gun_stu: Logging port 139 is the only way I know. But there is just one problem with doing so... If you are on a LAN (like school), there is a LOT of legitimate traffic on port 139...along with all of the other ports, normal broadcast messages, etc...

Just recently, my school was "bombed" with these messages. The person who did so had the nerve to use part of the name of one of the web-servers on the LAN to throw everyone off. After that, I had Ethereal setup, but at first it was logging ALL incomming data. I had 100+ packets a second - obviously not something that would make it easy to search through a week later when it might happen again. I was later able to get it to log port 139 data, but I still had to deal with about a packet a minute. The computer was on for several days, and no other messages were tracked. However, I had about 5,000+ packets that were to port 139. Luckily, filtering came in handy to only show the net-send messages (there were none).

You might think that using Ethereal to find these and get the IP are handy, but there is on major problem on a LAN like schools, etc... It eats up a LOT of power, and eventually HDD space if not configured properly. I typically had 10-20% CPU power used by Ethereal on my webserver (whose partial name was used) and it was a P4 1.6GHz system, but with 128MB RAM... Even with all of that..., I have NOT found out who sent the message because I wasn't prepared for it before-hand... And there haven't been many messages after that, so I stopped using my time to search for them.

I hope that helps sheds some insight...


-Tim_axe

Many thanks for your replies.

Vigge, tried the Active Ports and liked it, thanks.

Tedob1, I had Zone Alarm but had problems with my internet connection sharing on my LAN (even when closed). I’m currently using the Internet Connection Firewall that comes with xp. Not to sure how it compares to Zone Alarm though.

Tim_axe. I think I’ll try Ethereal as I’m only running a small LAN.

I’ll be honest with you, I need to read up a bit more about ports and the services that run on them, so if anyone can recommend a good tutorial :)

This thread has run its course and I am coming late to the party, but I wanted to put my $.02 in. I agree that one of the easiest things to do would be to disable the Messenger Service if you have no need for it or block port 139 if you are only looking to stop the pop-up messages. One of the selling points to the spammers is the ability to send spam messages to you while remaining "virtually" untraceable. But, you can set up some sort of filter or logging to log traffic incoming on port 139 to try and identify the source.

Hmmm, I would suggest reading the logs on the machine, they would include the sender's ip or host name. After that you do want to capture traffic on your network, but your can keep it simple by filtering traffic to the specific protocol or port number.


PuRe

If you are using hotmail, go to the options, then mail display settings, then set the very last thing on the list to advanced. This will give you the senders ip address.

Hope this helps.

Backtrails

Riiiiight....um...ok....I posted the TOTALY wrong answer.....nerver mind... :rolleyes:
- Noia

I too am late, and it seems a lot of great advice. But I would feel distraught if I didn't toss in my own fav. firewall which I use quit a bit for logs "sygate firewall" personal version is free

I'm going to get smacked. I just know it, already posted a reply in the wrong thread. But I would like to suggest "sygate firewall" as a option to zonealarm. I have had no troubles with it on XP. Great log info