Solved

block the use of AIM, MSN Messenger, Yahoo Instant Messenger and ICQ by URL filtering

Posted on 2004-04-27
43
177,636 Views
Last Modified: 2011-08-18
Hi everybody,

Is there a way to block all url used by AIM, MSN Messenger, Yahoo Instant Messenger and ICQ ?

I do not need to uninstall or prevent installation, but to block using it.


Best regards
David
0
Comment
Question by:dcanard
43 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10927275
With what do you like to block it ?
If you have a proxy deny CONNECT method. and if you use also a firewall only allow proxied traffic.
if you only have a firewall block except port 80 for surfing.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 125 total points
ID: 10927543
Seeming all of these will tunnel through port 80 if all other ports are blocked, blocking port 80 isn't going to do much good, as you'll stop web browsing for everybody else....  
You need to block access to the AOL, MSN and Yahoo IP addresses directly.

from: http://infosecuritymag.techtarget.com/articles/february01/cover.shtml

Preventing IM traffic from leaving the network is also difficult. Like Napster, the major IM clients will work quite hard to find a port to exit your LAN, using HTTP if they have to. AIM needs to connect to the host login.oscar.aol.com in order to start up, so blocking traffic to this destination will effectively shut it down. However, at press time, the name login.oscar.aol. com points to the following IP addresses, according to a DNS lookup:

205.188.7.172
205.188.7.176
205.188.7.164
205.188.7.168

You'll need to block all of these and check for any new servers on a regular basis. Yahoo! Messenger can be blocked in a similar way, by killing off outbound access to the hosts answering to the following names:

msg.edit.yahoo.com
edit.messenger.yahoo.com
csa.yahoo.com
csb.yahoo.com
csc.yahoo.com

Each of the above names resolves out to multiple IP addresses-and, of course, Yahoo! can add new addresses at any time, making it an ongoing battle.

MSN Messenger can be blocked by blocking IP access to the Hotmail network range-64.4.0.0 through 64.4.63.255. Interestingly, this does not seem to totally block access to Hotmail's Web-based mail service.
0
 
LVL 5

Expert Comment

by:Droby10
ID: 10928222
forget trying to block it with an iron fist, there are too many ways around it, your best bet is to go ahead and block the application based ports and have available, in writing, the disciplinary repricussions for using unauthorized software within the standard policy/guidelines.  then setup a snort (or whatever) alert for signatures of said chat traffic.  make an example of someone you really don't need.
0
 
LVL 2

Expert Comment

by:Phill_upson
ID: 10938651
Could you detail what sort of network and firewall you have?

Are you on a home lan with a PC running Internet connection sharing as a gateway, do you have a router with a built in firewall etc..

Does your network have a domain with roaming profiles?

Thanks
0
 

Expert Comment

by:juanmamerino
ID: 11013417
Yahoo is the most difficult to block. I blocked it denying access to *.msg.*.yahoo.com on my proxy.
All other clients are easy to block, just block the associated TCP/Ports.

A very good document which explian how to block every IM client is here:

http://www.iss.net/support/documentation/whitepapers/xforce.php

Sure that's all you need.

Good luck!
0
 
LVL 3

Expert Comment

by:Beluga
ID: 11013936
Hi,

tim_holman is quite right - many newer IM clients will try to tunnel over port 80, and they're getting quite good at disguising their traffic as legitimate HTTP traffic. Or, as the vendors call it, "firewall friendly applications". Not necessarily administrator friendly though... ;o)

You can try blocking the known port numbers, hostnames and IP addresses. But the vendors can change these at will - and in the past, they have done so. It's a moving target.

Droby_10's suggestion of using an IDS, such as Snort, is exactly how I deal with the problem. I can trace the communication back to a specific IP address, prove how long the chat session was open, then contact the user's HR officer with the evidence and a copy of the relevant section of the Acceptable Use Policy.

An even better (read: more expensive) solution is one of the new  server appliances that claim to intercept and inspect all IM traffic (e.g. WebWasher). Like an IDS, they use signatures to detect IM traffic. But then like a proxy server, they deny access to users who aren't on an "approved" list.

Beluga
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11013947
He is right but I can hardly imagine that companies open up port 80. Mostly it goes over a proxy and then you can avoid these tools by disabling CONNECT method.
And if you have a good workstation policy it can be pretty hard to install tools on your desktop.
Anyhow the solution will not be done on one component only
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11014519
lots of unaccepted questions lately
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11016604
The only Bueller I know is the one that had a day off - what you talking about sirbounty ??  ;)
0
 

Author Comment

by:dcanard
ID: 11030245
Thank you all of you. It works almost fine.
0
 

Expert Comment

by:knuthf
ID: 11241325
.. Everyone left out the obvious:
Download blocking software from:
http://www.grc.com/stm/shootthemessenger.htm
- this also halts usage on the LAN.

Then you have the DCOM leakage:
http://www.grc.com/dcom/
and PnP hole:
http://www.grc.com/unpnp/unpnp.htm

Greg has helped a number of agencies in security issues - and I recommend his site on your list of favourites.
0
 
LVL 3

Expert Comment

by:Beluga
ID: 11248553
knuthf,

I think you might be confusing the Windows Messenger service with Instant Messaging (which includes MSN Messenger). Windows Messenger offers a broadcast-based one-way communication. Instant messaging offers a connection-based two-way communication.

Steve Gibson's "shoot the messenger" program does not affect Instant Messaging (as noted on the web page, under the heading "Windows Messenger Service"). It won't "block the use of AIM, MSN Messenger, Yahoo Instant Messenger and ICQ", which was the subject here.

For an explanation of the differences, the following from Caltech's web site might be helpful:
http://www.its.caltech.edu/its/security/users/windows_messenger.shtml
0
 
LVL 3

Expert Comment

by:Beluga
ID: 11248597
Just realised that Microsoft refer to the Instant Messaging program that's bundled with XP as "Windows Messenger", which only adds to the confusion! The Windows Messenger *service* is something different, and is the one addressed by "shoot the messenger".
0
 

Expert Comment

by:isaacdoku
ID: 11527582
Get TerminatorX to do the job for you.

http://blockmsn.port5.com/

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 11537119
TerminatorX doesn't block Trilian...  ;)
0
 

Expert Comment

by:Weedwalker
ID: 11551515

Even if you block it with TerminatorX or block it with a firewall you won't be blocking web based chat such evreywhere msn (eMsn).... These tools are completly web based and they use http port such any web site... You could block domain but you gonna fall in a infinite "domain blocking" war since these tools are build like an applet....

Droby_10's suggestion is the ONLY completly bullet proof way to block users from chatting.. trust me, they try to block me and they never succed...

0
 

Expert Comment

by:isaacdoku
ID: 11556567
An iron fist approach for MSN Messenger is to create a registry key that will prevent the application from running.

HKEY_LOCAL_MACHINE\software\policies\microsoft\

create a new key called Messenger. Create another key under Messenger called Client.  Then create a DWORD under client, call it PreventRun and give it a value of 1.  this key can be exported to a file and imported into the registry of other computers.
0
 

Expert Comment

by:isaacdoku
ID: 11556995
If you are working in a Active Directory domain environment, you could also use the group policy in the domain to prevent the running of specific windows programs.  See Microsoft Knowledge Base Article 323525.  For example if you want to prevent the use of Yahoo Messenger then the program to inlcude is YPager.exe,  if you want to prevent the use of MSN Messenger then the program to include is msmsgs.exe

Good Luck.
0
 

Expert Comment

by:jibranilyas
ID: 11907987
http://upload.jibranilyas.com/files/activedir.JPG

check this screenshot plz... how come i don't have "Don't run specified windows applications"
0
 

Expert Comment

by:isaacdoku
ID: 11939522
You are looking at the wrong place in the domain policy.  "Don't run specifiied windows applications" is under "User Configuration>Administrative Templates>Systems" folder and not "User Configuration>Administrative Templates>Systems>Group Policy".

Alternatively, look into deploying an ISA server 2000 or even better 2004 - which can allow you to much more with regards to blocking programs, websites, instant messaging, etc from users, computers, groups, etc.

Good luck.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:jibranilyas
ID: 11942069
yah i should have stopped at system..thanks,,,
0
 

Expert Comment

by:sharmaajay
ID: 12905975
i m using windows 2003 server and i wants to block yahoo messanger from some selected machines.. i used no proxy,,
0
 

Expert Comment

by:jibranilyas
ID: 12906762
plz start a new question ... ~EE courtesy
0
 

Expert Comment

by:isaacdoku
ID: 12909515
to block selected computers, create a new OU container within the AD and move the computers into the new OU container, then create a new GPO preventing the execution of the yahoo messenger and apply the policy to the new OU container containing the group of computers.
0
 
LVL 3

Expert Comment

by:cubemonkey
ID: 12930252
I think the best way to stop any messager servers is to have your router or proxy send the request to a messanger service (example login.oscar.aol.com) to a bad private IP address. This will make it as the messanger client will never reach the server and make it stop trying to get there....

0
 

Expert Comment

by:pontypool
ID: 13763763
Won't that mean no computers will get access? he only wants selected computers to not get access I think.
I already posted my own thread about this http://www.experts-exchange.com/Hardware/Q_21385047.html
0
 
LVL 3

Expert Comment

by:cubemonkey
ID: 13767838
well yes that will block access for all computers on the network. It was never really stated if it was for a single pc, multi-PCs, or a whole network. The only other thing you can try is to see if you can do blocking via IP addreess or MAC address and then create filters for those pc(s).
0
 
LVL 8

Expert Comment

by:PaperTiger
ID: 13772060
The best way to block all these (not to decipline) is to incorporate either Websense or SurfControl, and at the same time block every port except 80/443. I cannot really imagine why a normal user needs more than just these 2 ports.

You can find out more about them on their websites. They are very similar software and supported by many firewalls. They work as a filter, but based on domain name/ip address. You can set up to block different category such as no access to Adults, Sex, or Internet Chat. Those companies are doing all the hunting work and they update their database very often.

Here's what happens if I try to use Windows Messenger.

time=Wed Apr 13 08:34:35 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=207.46.110.249
protocol=    "http"
url=         "http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://XYZ/dumass"
bytes sent=0 bytes received=0 duration=0


Here's what happens if I try to use webchat on yahoo or msn.

time=Wed Apr 13 08:37:28 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=66.163.172.116
protocol=    "http"
url=         "http://messenger.yahoo.com/"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


time=Wed Apr 13 08:40:08 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=207.46.110.252
protocol=    "http"
url=         "http://webmessenger.msn.com/"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


0
 
LVL 8

Expert Comment

by:PaperTiger
ID: 13772066
Oh, these software keep a !@@# load of log too. So, if you want to decipline somebody, just pull up the log.
0
 
LVL 3

Expert Comment

by:cubemonkey
ID: 13776863
that is great, but, AIM will still be able to got out port 80 or 443. So then you will still need to block the AIM messanger.......
0
 
LVL 8

Expert Comment

by:PaperTiger
ID: 13781432
It does not matter because the Websense listens at port 80 or 443.

Please look at the examples I posted. When I use Windows Messenger, it tries to go through port 80 but is blocked by Websense.

Here's what happens if somebody is trying to use Yahoo Messenger. You can see this YM is trying to go through Port 80 just like AIM and WIM, but is not successful.

I don't have AIM so I cannot check, but in principle, my suggestion will block any AIM user too.

time=Thu Apr 14 08:31:00 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=68.142.231.252
protocol=    "http"
url=         "http://insider.msg.yahoo.com/ycontent/?&getgp=0&intl=us&os=win&ver=6,0,0,1922"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


time=Thu Apr 14 08:31:00 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=68.142.231.252
protocol=    "http"
url=         "http://insider.msg.yahoo.com/ycontent/?&getwc=0&intl=us&os=win&ver=6,0,0,1922"
port=        "80"
category=    98     (INSTANT MESSAGING)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


time=Thu Apr 14 08:31:00 2005      version=3
server=192.168.3.1 source=192.168.3.13 dest=66.218.71.196
protocol=    "http"
url=         "http://mtab.games.yahoo.com/messenger/prefs"
port=        "80"
category=    14     (GAMES)
disposition= 1035   (BLOCKED WITH PASSWORD OPTION)
app type=    ""
keyword=     ""
user=        "WinNT://xyz/dumass"
bytes sent=0 bytes received=0 duration=0


0
 
LVL 8

Expert Comment

by:PaperTiger
ID: 13781907
If you do what I suggested:
1. block every port except 80 and 443
2. set up either Websense or SurfControl to block web chat and IM
3. set up either Websense or SurfControl to block proxy servers

The only way a user can get through is to build a Port 80 VPN with his home computer and tunnel through that, but that will be very fancy, and I think if he can do that, you should recruit him to your IT team.
0
 
LVL 3

Expert Comment

by:Beluga
ID: 13793484
Guys (and gals),

Given that an answer to this question was accepted nearly a year ago, and dcanard (author of the question) hasn't posted here since, is he still reading this? Dcanard - do you still need advice, and if so, what?

In all my years on EE, this is the longest lasting *closed* question ever!!
0
 
LVL 8

Expert Comment

by:PaperTiger
ID: 13794674
It was not properly answered before.
0
 

Expert Comment

by:painwarlord
ID: 13924811
Do you wnat to prevent thim runing using a gateway or you can also install an Agnet on each PC that has the software indicated ...

Thank

Piankiller
0
 
LVL 8

Expert Comment

by:PaperTiger
ID: 13926279
No, you do neither.

Websense sits on a server within your network (can be in different subnets or even Internet). Your firewall, which is your gateway typically, intercepts every request and before it allows the request to go through, it checks with the Websense server. If the Websense server decides to deny, no traffic will go through.

If  you need to know more about the setup, please leave an email address or something that i can contact you.
0
 

Expert Comment

by:painwarlord
ID: 13934560
You can Use Trustware Antimalware product with the BufferZone that will prevent anything not in your policy to run on the machine .. it's central management and you can create policies to user and allow or prevent runing software .... please be aware that the BufferZone tech allow you to let users run programs with out damaging the windows system by creating a virtual world of this programmes that they will be able to run however without any possiblility to effect any info or system attributes ..

Painkiller
0
 

Expert Comment

by:lardo
ID: 15052650
Acctualy netminder The comments after the question was "closed" helped me find a resolution to a question I have had for a while. It saved me from posting this same question again.

0
 

Expert Comment

by:chrispedersen
ID: 21299853
I suspect with the advent of sites such as Meebo
and the propensity of messenger and others to propagate over 80 - that we're fighting a losing battle here.
0
 

Expert Comment

by:aliberman
ID: 21926426
but meebo can be blocked on a domain by modifying your local DNS server - add meebo.com as a forward lookup zone and they will be redirected to the default site on your domain.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now