XP Messenger Service----safe to use?

[JimiBlues]

Hi,

i know there are some malware specifically designed to target the XP
alerter/messenger services i.e. the net send mechanism.

However, management wants to use this facility to send messages to users?

Assuming we are patched completely, is it safe to do this? or should we
instead use a different messaging software package?
thanks.

 

[Bill Sanderson]

The issue with this service was spam, rather than malware per se, I believe.
However, spam can include malicious URLs--but I think this is a pure text
service, and the urls would not be clickable--but it has been a long time
since I saw a message sent via this mechanism.

Microsoft's security auditing tools --MBSA 2.1, for example, I believe
continue to recommend disabling this service. On the other hand, I know
that tools from, for example, Dell and APC and various backup vendors
continue to provide tools using such broadcasts to let users or admins know
of alerts of various sorts.

My own sense of this is that the service is not a security vulnerability,
except in the sense that spam might be such.

If your network is properly firewalled at the perimeter you should not see
messenger spam from the Internet.

This article has a good description of the issue:

http://www.spywareguide.com/txt_messengerspam.php

The ports used by this service should not be open to the outside world. If
they are, you have much bigger problems than just messenger spam.

So, although my own kneejerk reaction is to keep this service disabled, I
think that may be unnecessary in properly protected networks these days.
The ports needed should not be open even in the least expensive home router,
This was an issue quite a while ago, and networking was quite different
then--the home nat/router devices that are ubiquitous now were rare then.

The software allowing you to generate such spam is probably still out there,
and there were situations in networks where the spam was generated in-house.
This could happen again.

As with many details of security, it is a balancing act. I have some
sympathy with the need for admins to be able to use such broadcasts.

There was also third-party software written to replace this mechanism--some
with cost, some freeware. I don't recall the names of any of these
packages, and haven't researched them lately.

The search term I used to Google up the citation above was "messenger
service spam" I suspect that a search on "messenger service replacement"
might yield some links.

Thanks for the trip down memory lane--I think this is indeed a relevant
question even now. I think I'll go look at my Server 2008 install and see
if the messenger service is in there. I suspect it will be, but disabled by
default.

 

[Bill Sanderson]

........ Thanks for the trip down memory lane--I think this is indeed a
relevant question even now. I think I'll go look at my Server 2008 install
and see if the messenger service is in there. I suspect it will be, but
disabled by default.

And, it looks like I'd be wrong! I can't find the messenger service in
Server 2008. I can see some remnants of it in help, and the term is used in
the context of netbios names in a number of places, but I don't see the
service itself.

 

[Randy Knobloch]

Hi,

i know there are some malware specifically designed to target the XP
alerter/messenger services i.e. the net send mechanism.

However, management wants to use this facility to send messages to users?

Assuming we are patched completely, is it safe to do this? or should we
instead use a different messaging software package?
thanks.

How To: Determine what Services are running in Windows XP
http://www.mvps.org/winhelp2002/services.htm

(Older info here) NB - Does not reflect XP SP3
http://www.theeldergeek.com/alerter.htm

Proceed with *extreme caution* (emphasis) when tweaking Services.
From a Run Box, "type" > "services.msc" (no quotes) > enter.