AOL is taking aggressive steps to combat spam and close a security loophole by turning off a Microsoft Windows feature that it says spammers are exploiting to display pop-up messages on users' desktops.

The service provider used an update of its software to disable the Windows feature without the knowledge or consent of AOL subscribers, raising questions about the ethics of the change. The feature in question, known as Windows Messenger Service, enables network administrators or network devices to display messages on users' desktops but has few applications for home users, according to Boston-based independent security expert Richard Smith.

Text commands entered from a command prompt allow users to create a pop-up window containing messages that will appear on other users' desktops if they're connected over a home network, corporate network or the internet, Smith said. Spammers discovered the feature a year ago and immediately began using it to barrage unsuspecting users with pop-up messages containing solicitations, he said.

Using Windows Messenger Service has advantages for spammers over email. The spammer's message appears on top of the desktop, without requiring any user action to display it. Even more important, spammers do not need to know any email addresses to get their message out to Windows users, just the IP (internet protocol) addresses of Windows machines, Smith said.

AOL call centres began receiving a large number of complaints from users about the pop-up message problem last year, soon after spammers discovered it, said AOL spokesman Andrew Weinstein.

"Users were calling us and saying that they didn't know why they were getting them and that there was no way of getting away from them," he said of the messages.

An AOL feature for blocking pop-up website advertisements did not stop the Windows Messenger Service pop-ups either, because the Messenger Service pop-ups relied on a different underlying technology, he said.

The company was also swayed in its decision to block the Windows Messenger Service by a recent critical security bulletin from Microsoft concerning a buffer overrun vulnerability in the Windows Messenger Service that could enable a remote attacker to take control of a vulnerable Windows system, Weinstein said.

AOL began shutting off the feature for customers using Windows NT, 2000 and XP on a rolling basis two weeks ago. The company checks users' machines when they log on to AOL's network to see if Windows Messenger Service is enabled. If the feature is on, AOL disables it, Weinstein said.

So far, 15 million AOL subscribers have had the feature disabled, and AOL is planning to make the change on about five million more AOL subscriber machines in the coming weeks. Weinstein did not have a timetable for the remaining changes.

Related links: