Messenger Spam

A common question we see is what is all the inbound traffic on UDP Port 1026, 1027, 1028, 1029 etc.  Typically this is Messenger Spam.  So what is Messenger Spam, to answer that first you have to understand what the Messenger Service is.  The Messenger Service was original meant as a way for System Administrators and remote devices to send Alert messages to connected systems.  So for example if an Administrator was going to take a server off-line, they could use the Messenger Service to alert all their users as to the impending outage, or a network printer could send a message to user about being out of paper.  The messenger service exists by default on all Windows systems from Windows NT on up (Note Windows 95, 98, and ME didn't have a Messenger Service by default), but since the release of Windows XP SP2 the Messenger Service has been disabled.  Spammers discovered Messenger Service several years ago and started using Messenger Service's intrusive messages (remember it was an alert service so the messages were designed to be intrusive and by that I mean they pop to the front and don't go away until acknowledged), as a form of unsolicited advertising.

With the Messenger Service disabled it will not receive or process Messenger events.  You can test this by opening a Command Prompt and enter 'Net Send Your_IP_Address some message' and you should get an error message as below.

If the Messenger Service was running then you would get the following

And an Messenger Service alert would appear on your screen.

Normal use of Messenger Alerts used a rather complex process of querying the system to find out if it allowed Alert Messages and then what port the services was running on etc, before the actual message could be sent.  Spammers figured out they could circumvent this process by sending a single UDP packet directly to the port running the Messenger Service (I had posted an article about this on Broadband Reports).  Typically the Messenger Service runs on UDP Port 1026, but it can run on other ports depending on what other services are running, or what order the services were started in, etc, so Spammers send this message to a range of ports (typically 1026 - 1029) with the idea that the Messenger Service will be running on one of them.  One thing that should be noted is since the event uses the UDP protocol, no connection handshaking is involved so it is very easy to spoof the source IP address, making it very difficult to trace back to the actual source of the spam.  Most of the source IP addresses we see used are from China, but again this could be suspect as it is so easy to spoof the source of a UDP packet.

While Messenger Spam has been around for a long time, a large increase was noted starting at the end of April 2005.

We have also noted an increase in the number of ports to which the spam is sent.

Messenger Service messages are different from typical pop-up messages in that Messenger Service message are plain text, for example there are no clickable links in a Messenger Service message.   The top of the message frame will always state 'Messenger Service' and there is an 'OK' button centered at the bottom.  See samples of Messenger spam below, NOTE all of these messages were bogus as the system wasn't infected, nor did it have any corruption or critical errors or any other problems, these were all scare tactics to get you to go to their site.  Frankly in my opinion any advertisement sent out via Messenger Spam has suspect intentions and hence should be ignored.

One thing that seeing these messages indicates is that your system is connected directly to the internet and likely unpatched and hence vulnerable to far more malicious traffic then Messenger Spam (see more about telling if your computer is infected here).  It is very recommended that you keep your system fully up to date with Microsoft's updates, and second that you use a firewall as it should block any unsolicited traffic, such as worm attacks and Messenger Spam.

PortPeeker Capture of Messenger Spam attempt on UDP Port 1027

218.27.103.206 : 54670 Length = 290 bytes
MD5 = 4D32D440B781ECDEF0640EDC868693F6
---- 20/01/2006 17:03:25.400
0 04 00 28 00 10 00 00 00 00 00 00 00 00 00 00 00   ..(.............
10 00 00 00 00 00 00 00 00 F8 91 7B 5A 00 FF D0 11  ..........{Z....
20 A9 B2 00 C0 4F B6 E6 FC 9A 90 91 8A AE 9F 66 84  ....O.........f.
30 E7 58 5F 6B 15 26 94 91 00 00 00 00 01 00 00 00  .X_k.&..........
40 00 00 00 00 00 00 FF FF FF FF D2 00 00 00 00 00  ................
50 10 00 00 00 00 00 00 00 10 00 00 00 53 59 53 54  ............SYST
60 45 4D 00 00 00 00 00 00 00 00 00 00 10 00 00 00  EM..............
70 00 00 00 00 10 00 00 00 41 4C 45 52 54 00 00 00  ........ALERT...
80 00 00 00 00 00 00 00 00 8E 00 00 00 00 00 00 00  ................
90 8E 00 00 00 09 09 09 53 59 53 54 45 4D 20 45 52  .......SYSTEM ER
A0 52 4F 52 0A 0A 0A 09 53 79 73 74 65 6D 20 45 72  ROR....System Er
B0 72 6F 72 20 64 65 74 65 63 74 65 64 20 69 6E 20  ror detected in
C0 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65  C:\WINDOWS\syste
D0 6D 33 32 20 0A 0A 57 69 6E 64 6F 77 73 20 73 75  m32 ..Windows su
E0 67 67 65 73 74 73 20 76 69 73 69 74 69 6E 67 20  ggests visiting
F0 77 77 77 2E 63 6C 65 61 6E 74 68 69 73 70 63 2E  www.cleanthispc.
100 63 6F 6D 20 74 6F 20 64 6F 77 6E 6C 6F 61 64 20 com to download
110 66 72 65 65 20 72 65 70 61 69 72 20 74 6F 6F 6C free repair tool
120 0A 00                                           ..

Page last updated on November 26, 2006