[lug] linux firewall, popup windows spam blocking

D. Stimits stimits at attbi.com
Tue Jun 24 00:03:11 MDT 2003

Brian Stiff wrote:

> >>>What I'm wondering is if anyone knows what I can
> >
> >block on my linux
> >
> >>>firewall to block popups from other networks? Are
> >
> >these popups UDP or
> >
> >>>TCP? What port or ports are used? I already have
> >
> >137:139 blocked, and
> >
> >>>some others. I even have zonealarm firewall on
> >
> >the windows machine
> >
> >>>itself, but it still allowed this popup. I'd like
> >
> >to totally remove this
> >
> >>>remote ability via the linux end, as nothing
> >
> >related to security on
> >
> >>>windows can be trusted.

I'm probably going to miss something, been having migraine problems all 
day, can barely think.

> Where is the pop-up spam showing up?  If it rears its
> ugly head while you're surfing the web, it's just
> plain old HTML, TCP 80.  The link to fire the pop-up
> is embedded in whatever page you surf to, and the only
> way you can disable that sort of nonsense is by
> increasing the paranoia level of your browser or
> install a pop-up killer.

This is not a web popup at all, and I'm not surfing. This is apparently 
something like an SMB server message block, spawning an administrative 
popup widget. I do not web surf from windows, nor do I use it for email. 
I avoid anything I can from windows. I'm still playing with firewall 
rules to find out just how they are getting in. When the popup hits, 
about 1/3 of the time it causes the system to lock up hard. It isn't 
unusual to get once per hour 3 spam extortion payment requests at once.

> Most of the garbage that crawls in with the Windows
> Messenger transport is just text-based stuff, a window
> with the supposed sender's name and a few sentences.
> You probably won't see graphics or anything in
> Messenger-based spam.

There is an event viewer log noting the message popup time and what was 
in it. The windows logging system though is too dumb to say what IP was 

> Someone asked if NetBEUI is its own protocol WRT
> keeping it out of your network.  Any Windows
> Networking traffic that comes in off the internet is
> NBT, or NetBios over TCP/IP, the next step of
> bastardization in a string of bastardizations to
> continue extending NetBios to a realm it shouldn't be
> in.   Windows Networking traffic should never
> cross the boundaries of someone's network unless it's
> inside an IPsec packet.  Everyone in the world should
> deny MS Networking at their net borders.

This machine doesn't even have NetBEUI bindings, all network 
neighborhood type abilities are as removed as possible. This might be 
part of the reason it crashes, as the the event log also says that I'm 
missing software necessary to properly display all popups. But the 
popups arrive anyway, and 1/3 of the time crash the machine, and loss of 
whatever was being worked on. It sounds like any ipchains rule for tcp 
would work if it is NetBios over tcp.

D. Stimits, stimits AT attbi DOT com

> -B
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list