Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: openbsd.org > tech > 03 > 010479.html (Request Expert openbsd.org Support)

Re: blocking msn messenger

From: Nick Holland <nick(at)holland-consulting.net>
Date: Mon Jan 20 2003 - 21:01:15 EST

John Reuchlin wrote:
>
> Hello;
>
> I've just noticed that msn messenger can now use some sort of http tunnelling in case port 1863 is blocked.
>
> I guess now there is no way to block messenger if we allow outgoing web?
>
> Any ideas/recommendations?
>
> Thanks;

Not really a tech@ topic...

Three ways I can think of...

  1. Filter by destination IP addresses. Takes some experiementing, but works...until servers move.
  2. Set up a logging local DNS resolver, let it be known that 1) MSN Messenger is not permitted. 2) what they do will be logged and monitored. 3) They will be held accountable (and follow through).
  3. Set up a (logging) local DNS resolver, which has delusions about certain domains...and points them to a local authoritative DNS server, which points them at a local web server which displays the office policy page for any 404 errors and for index.html... (I do all this on a single 486/100 with 32M RAM, btw. Doesn't take much). You would probably end up blocking all of msn.com, but no big loss in my opinion.. 8)

The trick: MSN Instant Messenger doesn't hard-code IP addresses in the program (not certain of this, but a safe guess, I would think), they code in names. So, let's say it looks for "im1.msn.com" through "im48.msn.com". You set up your DNS resolver to redirect any queries for those names to your local policy-web server. Or...you say "screw it" and redirect all of msn.com to the local web server.

Bingo, no more MSN-IM.

(and if enough people start doing this, MSN might decide the loss in traffic on msn.com isn't worth letting people use MSN-IM over the objections of IT people. Nail aol.com for me, while you are at it. 8-)

Follow it up with rules to insure that the only node which can reach other DNS servers is your internal DNS resolver, and you have pretty well locked them out of any site you have a problem with.

Do you need help?X

Did this at a school, it has worked rather well. I set up a simple script to add new names: "block rotten.com" and everything on rotten.com is suddenly looking like the school's policy page.

Nick. 

-- 
http://www.holland-consulting.net
Received on Tue Jan 21 03:32:59 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:48:28 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library