Flighting back for NET SEND SPAM

I talked about NET SEND SPAM and methods to stop it later. Now it is the time to fight back.

Who sent the spam?

“What is the IP address of the spammer?” You probably eager to know. Well. It is not easy. It is almost impossible to get the IP address of the sender. If you are very technical and want to know more about the details, please read this article first.

Install a firewall

A better way than shutting down the Messenger service is to install a firewall. By install a firewall, you gain the follow benifit.

  1. You eliminate NET SEND SPAM and other kind of attack and virus.
  2. You log the IP address of all attackers so you can take actions to fight back.

There are handful of great personal firewall software available. If you are using Windows XP, you already have a firewall installed. It is called Windows Internet Connection Firewall (a.k.a. ICF). You only need to follow these steps to enabled it.

To enable or disable Internet Connection Firewall

  1. Open Network Connections (Click Start, click Control Panel, and then double–click Network Connections.)
  2. Click the Dial–up, LAN or High–Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.
  3. On the Advanced tab, under Internet Connection Firewall, select one of the following:
    • To enable Internet Connection Firewall (ICF), select

      the Protect my computer and network by limiting or preventing access to

      this computer from the Internet check box.

    • To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box. This disables the firewall, your computer and network are then vulnerable to intrusions.

Source: Use the Internet Connection Firewall to Secure Your Small Network

Enable Firewall logging

This is a good article on how to enable firewall logging. After you enable the logging, you keep the record of all attack to your server.

Analysis the report

On of the easy way is to utilize myNetWatchMan. Follow the steps to register and download an agent. The agent will check the log file on your computer and send the attack information to the server. After aggregating all the report from many agents (about 5000+ currently), it will send abuse compliane to the network owner, thus prevent futher spam.

You can also check for yourselves. Here is an sample from my personal firewall log:

2002-11-08 21:38:25 DROP UDP 195.252.113.35 211.161.107.5 1026 137 78 - - - - - - -

If you find a lot DROP lines from a source while it indicates port is UDP 137, it seems like a spam.

Use this command in Command line (replace the IP address with the IP you saw in your log file

NBTSTAT -a 195.252.113.35

You will get return like this:

Local Area Connection:

Node IpAddress: [157.60.112.235] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status

===========================================

SPAM-01 <00> UNIQUE Registered

SPAM <00> GROUP Registered

SPAM-01 <20> UNIQUE Registered

SPAM <1E> GROUP Registered

MAC Address = 00-10-A4-BB-E2-C3

Note the last line: it is the MAC address of the spammer. MAC address is the serial number of a Network Interface card. It is burnt into the chip and cannot be changed. Unfortunately, there is no reliable way to narrow down to certain geographic location from IP address. But by know the MAC address, it is very solid evidence that the package is sent out from the computer of the MAC address owner.

We need more

The topic of NET SEND SPAM never stops. I will fine tune this article and replace some general concept to some resources and steps. I believe we need to unite to fight back to NET SEND SPAM.

18 thoughts on “Flighting back for NET SEND SPAM”

  1. There is a simpler way to fix this:

    Right click on “My Computer”

    -choose “manage”

    -double-click “services and applications”

    -double-clisk “services”

    -right click “messenger”

    -choose “stop”

  2. OMG! Thankyou so very much for this article! I received 2 netsend spams for the first time today. I’m now ready to fight back if the idiot decides to spam my ip again!

  3. `net stop messenger` only hides the problems. It does not cure the problem. In fact messenger spam is good because it tell you (indirectly) that you should be running a firewall on your computer!

  4. There are other ways of useing net send besides spam, it could be used to send a general warning over a large network, a quick way to send a short message, or like my friends use it, to annoy the heck out of any one they can get a IP adress for(We do this as a joke amognset selves at Lan partys). So this like many other functions was not made to do this, bu like e-mail, it is used for these perposes.

  5. you could simply turn off NETSEND on your computer :)

    START > PROPERTIES > CONTROLPANEL > ADMINISTRATOR > SERVICES (cant remember which service it is though.)

  6. hi i want that how can i see IP adress of my chat friend and how can i send them mesg from IP adress plz tell me .bye

  7. There is also a scenario, where the corporate pc will not have admin rights. where stopping the service is not possible.

    any solution?

  8. wen i wont 2 sing in msn it wont let me bec somethin 2 do wid the net work can u tell me how 2 sign in wid out dat comin up and can u sign me in its sexy_bitch_cleo’hotmail.co.uk plez get me 2 sign in bec all my m8ts hav msn and i carnt talk 2 dem bec i carnt sign in so plez help me

  9. Dear All,

    There is simplest way for it. It is not must you should turn off the messenger service, might you need it for some other tasks. I mean if you are using it with other friends. Simply visit the web site and find the website ip address by typing “netstat -n” at command prompt. And simply block that IP from your firewall.

    If you need more please let me know by email.

    regards,

Leave a Reply

Your email address will not be published. Required fields are marked *