Flighting back for NET SEND SPAM

I talked about NET SEND SPAM and methods to stop it later. Now it is the time to fight back.

Who sent the spam?

"What is the IP address of the spammer?" You probably eager to know. Well. It is not easy. It is almost impossible to get the IP address of the sender. If you are very technical and want to know more about the details, please read this article first.

Install a firewall

A better way than shutting down the Messenger service is to install a firewall. By install a firewall, you gain the follow benifit.

You eliminate NET SEND SPAM and other kind of attack and virus.
You log the IP address of all attackers so you can take actions to fight back.

There are handful of great personal firewall software available. If you are using Windows XP, you already have a firewall installed. It is called Windows Internet Connection Firewall (a.k.a. ICF). You only need to follow these steps to enabled it.

To enable or disable Internet Connection Firewall
Open Network Connections (Click Start, click Control Panel, and then double–click Network Connections.)

Click the Dial–up, LAN or High–Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection.

On the Advanced tab, under Internet Connection Firewall, select one of the following:
To enable Internet Connection Firewall (ICF), select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.

To disable Internet Connection Firewall, clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box. This disables the firewall, your computer and network are then vulnerable to intrusions.

Source: Use the Internet Connection Firewall to Secure Your Small Network

Enable Firewall logging

This is a good article on how to enable firewall logging. After you enable the logging, you keep the record of all attack to your server.

Analysis the report

On of the easy way is to utilize myNetWatchMan. Follow the steps to register and download an agent. The agent will check the log file on your computer and send the attack information to the server. After aggregating all the report from many agents (about 5000+ currently), it will send abuse compliane to the network owner, thus prevent futher spam.

You can also check for yourselves. Here is an sample from my personal firewall log:

2002-11-08 21:38:25 DROP UDP 195.252.113.35 211.161.107.5 1026 137 78 - - - - - - -

If you find a lot DROP lines from a source while it indicates port is UDP 137, it seems like a spam.

Use this command in Command line (replace the IP address with the IP you saw in your log file

NBTSTAT -a 195.252.113.35

You will get return like this:

Local Area Connection:
Node IpAddress: [157.60.112.235] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
===========================================
SPAM-01 <00> UNIQUE Registered
SPAM <00> GROUP Registered
SPAM-01 <20> UNIQUE Registered
SPAM <1E> GROUP Registered

MAC Address = 00-10-A4-BB-E2-C3

Note the last line: it is the MAC address of the spammer. MAC address is the serial number of a Network Interface card. It is burnt into the chip and cannot be changed. Unfortunately, there is no reliable way to narrow down to certain geographic location from IP address. But by know the MAC address, it is very solid evidence that the package is sent out from the computer of the MAC address owner.

We need more

The topic of NET SEND SPAM never stops. I will fine tune this article and replace some general concept to some resources and steps. I believe we need to unite to fight back to NET SEND SPAM.

by Jian Shuo Wang on November 20, 2002 under Spam

Related Entries: Spam

Infected by Spam Virus? November 1, 2006
Wang Yang Lee (ICBC) May be Fraund October 5, 2006
ifuleuiycfi - I Really Admire You, Spammers February 21, 2006
The City and Its Moral Boundary January 9, 2006
Closed Trackback October 14, 2005
Hit by Caribe.sis Virus via Bluetooth October 9, 2005
MTBlackList is Better than IP Banning July 27, 2004
Appologize from Baliforyou November 11, 2003
EndAds.com Caught by FTC November 6, 2003

Comments

you can change the mac address of your card in windows, goto network properties and advanced and change it.

Posted by: antispam on November 23, 2002 2:43 AM

Hi Antispam,

I didn't know we can change MAC address. I checked on the net. It is true.

Here is some resource:

How can I change my media access control (MAC) address under Windows
http://www.ntfaq.com/Articles/Index.cfm?ArticleID=23256

What is MAC Address:
http://www.duxcw.com/faq/network/mac.htm

Find manufature from MAC Address:
http://www.coffer.com/mac_find/?string=00%3A50%3ABA

Posted by: Jian Shuo Wang on November 23, 2002 9:18 PM

go to the shit, danmit.

Posted by: MW on January 16, 2003 9:37 PM

There is a simpler way to fix this:
Right click on "My Computer"
-choose "manage"
-double-click "services and applications"
-double-clisk "services"
-right click "messenger"
-choose "stop"

Posted by: Ryan on February 21, 2003 10:57 PM

i would like to get a weekly update

Posted by: arank on March 21, 2003 5:55 PM

Or another way is to open up CMD and type in net stop messenger

Posted by: Daniel Harrisson on March 25, 2003 10:26 PM

Dainel, thanks for your contribution.

Posted by: Jian Shuo Wang on March 25, 2003 10:31 PM

OMG! Thankyou so very much for this article! I received 2 netsend spams for the first time today. I'm now ready to fight back if the idiot decides to spam my ip again!

Posted by: Rob on April 4, 2003 7:41 AM

`net stop messenger` only hides the problems. It does not cure the problem. In fact messenger spam is good because it tell you (indirectly) that you should be running a firewall on your computer!

Posted by: Myron on October 9, 2003 2:50 AM

There are other ways of useing net send besides spam, it could be used to send a general warning over a large network, a quick way to send a short message, or like my friends use it, to annoy the heck out of any one they can get a IP adress for(We do this as a joke amognset selves at Lan partys). So this like many other functions was not made to do this, bu like e-mail, it is used for these perposes.

Posted by: Shooer on October 13, 2003 7:05 AM

you could simply turn off NETSEND on your computer :)

START > PROPERTIES > CONTROLPANEL > ADMINISTRATOR > SERVICES (cant remember which service it is though.)

Posted by: Rune Jensen on November 24, 2004 3:43 PM

hi i want that how can i see IP adress of my chat friend and how can i send them mesg from IP adress plz tell me .bye

Posted by: Aftab on December 16, 2004 1:42 PM

what the f**k just happened here. Besides, wtf is via mail
ok
thats it
i talk like this
from here on
plz ansewer soon
bye
CodeboyMSN

Posted by: CodeBoyMSN on January 15, 2005 8:08 PM

There is also a scenario, where the corporate pc will not have admin rights. where stopping the service is not possible.
any solution?

Posted by: gpthe great on March 14, 2005 3:01 PM

wen i wont 2 sing in msn it wont let me bec somethin 2 do wid the net work can u tell me how 2 sign in wid out dat comin up and can u sign me in its sexy_bitch_cleo'hotmail.co.uk plez get me 2 sign in bec all my m8ts hav msn and i carnt talk 2 dem bec i carnt sign in so plez help me

Posted by: cleo on April 10, 2005 7:26 PM

Dear All,

There is simplest way for it. It is not must you should turn off the messenger service, might you need it for some other tasks. I mean if you are using it with other friends. Simply visit the web site and find the website ip address by typing "netstat -n" at command prompt. And simply block that IP from your firewall.

If you need more please let me know by email.

regards,

Posted by: Hunar on June 28, 2006 6:41 PM

jou are so male hahahahah

Posted by: gilles on January 2, 2007 9:48 PM

my outlook send this message [***SPAM*** Score/Req: 07.20/05.00] how to stop

Posted by: shibu on April 20, 2008 5:56 PM