Stopping NetBIOS Spam?

MoonFacedAssassin asks: "I woke up this morning to find that my computer had a Windows messaging pop-up window with an advertisement about getting diplomas and degrees. I was quite shocked to find that my Bellsouth DSL IP address had been spammed. Has this happened to anyone else? Other than closing off the port which this can come through, are there any other ways to block this spam? And, how responsible is Bellsouth (or any ISP for that matter) in handling issues like this?"

um.

[danielrose]

Are you new?
Seems to me that restricting the port would be the sane method of preventing outside persons from exploiting your system. The same as any other service on any other port.

You said it yourself...

[xt]

Block the port. To be honest, I can't understand why you would leave any ports open, when on an always-on connection, with a static IP address. Unless you have a service running on a port, that you want it to be public accessible, all other ports should be blocked and stealth. Experience says this is especially true for netbios ports...

As for the second part, you cannot count on an ISP's usage terms to protect you from malicious acts. For good or for bad, they sell access services, not security services.

Re:Overlooking the obvious

[jilles]

Especially not if you don't know how to configure it. There's even a GUI for disabling NETBIOS.

Re:um.

[biglig2]

Netbios exposed to the internet? Ouchies. If your set-up has security that bad then the ISP isn't the peroson to ask for help - because who knows what else you've left lying open?

Two dumb birds for the price of one....

[coyote-san]

This stupid question (block the port, be done with it) has given me a potentially useful idea.

How hard would it be to send a message back to the boxes that have some code red or similar virus. Basically you ask my web server for c:/scripts/something, you get a Windows message back informing you in no uncertain terms that your box is infected and the OS needs to be reinstalled.

This isn't an attack, but if enough people did it (just one message per infection attempt) people would soon be forced to do something because of the barrage of messages. And the people who let their boxes REMAIN infected with a virus that's been out in the wild for over a year are hardly the type of people to have locked down port 139.

Re:Crappy ISP!

[Blkdeath]

I was on www.foxnews.com and if you leave it up for 5 min or so with javascript turned on it pops up. I think its just an add that looks like a windows message.

Gee, I'd forgotten how annoying those popups were since I installed a browser [mozilla.org] that blocks popups. Alternatively, I could have installed another browser [opera.com] that showcases the same functionality. It's like a whole different WWW without popups. :)

But seriously, this NetBIOS messenger problem is quite real, and is (almost) entirely the fault of the end-user. Putting a Windows machine on the Internet without some form of firewall (software or hardware) is an invitation to get violated in some way or another. All I have to say is, these people are already once lucky - their file and print shares are exposed to the world, so with a bit of password trickery (or exposing one of the many NETBIOS vulnerabilities that exist at various patch levels of each of the Windows OS variants) one can easily access the data and/or send malicious print jobs (hint: MS Paint, black background, 100 copies. Else, SPAM)

There are also cases of people who actually run/administer a firewall that's obviously mis-configured to the point of being futile, so don't expect the mere presence of such a thing to protect you. One individual on the Security Focus Incidents mailing list is reporting this very same 'problem' on his network running Microsoft ISA firewall.

If you're unable (for whatever reason) to install a software firewall, obtain and configure an Internet router. There are dozens (hundreds) on the market, and the vast majority of them (that we've dealt with/sold) come with port forwarding to the internal machines disabled per default. For single-computer owners, SMC makes a one-port Internet router that could simply be installed inline with the users' cable/DSL 'modem' for security and peace of mind. Moreover, it saves the user from having to install annoying PPPoE client software on their machines.

Like the poster before alluded (rather amusingly) to; if you leave your door ajar, don't be surprised when you come home to find people roosting in your house, or that some of your things are missing. Sure, the person may have broken the law, but putting out the welcome mat is just asking for trouble.

Re:Overlooking the obvious

[kableh]

Give me a break. Install Redhat 7.2 on PC, then plug that straight into the internet and tell me how long it takes to get r00ted. It took me all of 2 minutes at my last job.

A good start would be a decent software firewall. Tiny Software used to offer theirs for free for personal use, but seem to have taken it down from their website =(. If you scour the net, you might be able to find it for download from one of those shareware sites.

A reinstall also would be prudent. When I'm doing a fresh install I try to keep the machine behind a device doing NAT until I have proper firewall software installed and my box patched.