Operating systems

Block MSN Messenger with Squid


While instant messaging has changed the way many people communicate, it also creates new problems for network administrators. For various reasons, many companies may choose to block instant messaging communications. Unless an internal messaging service is available, or at the very least a commercial logging mechanism, instant messaging can be a rogue channel for information to flow in and out of your networks.

By far the most popular instant messenger is MSN messenger (or the native XP client Windows Messenger). Without an expensive (and unnecessary) gateway appliance like Microsoft ISA server or the Barracuda IM Firewall blocking MSN messenger can prove to be quite a pain. Blocking the ports MSN uses to transfer data is not enough as the messenger can tunnel all of its communications over HTTP. Blocking port 80 is obviously not an option. If you try to block based on IP then you will find yourself not only blocking Messenger but also access to Microsoft's range of Web sites and Windows Update!

Surely there must be an easier way? There is...

I've been looking for a simple and reliable way of blocking MSN Messenger without stopping Windows Update from doing its job. After trying to refine blocking based on both IP address and hostname, I decided that the only way to reliably block it is using the mime type tag and HTTP gateway using Squid. I found reference to the tag application/x-msn-messenger while reading a Microsoft KB article that describes blocking MSN Messenger with ISA Server 2000. Squid gives the ability to block based on MIME type and request content using access control lists (acls).

If you're already running all of your Web traffic through a Squid proxy server, then updating your configuration to block Messenger is as simple as adding four lines to the Squid.conf file:

acl msnmime req_mime_type ^application/x-msn-messenger
acl msngw url_regex -i gateway.dll
http_access deny msnmime
http_access deny msngw

Don't forget that you will still need to block outgoing connections on port 1863; if you don't do this, then Messenger will connect using its standard TCP port rather than tunnelling via HTTP.

I didn't have a Squid proxy service running on my OpenBSD gateway so I had to install it. A package can be found in the Packages directory of OpenBSD's FTP/HTTP repositories. Several versions of the Squid package are available -- I chose the transparent build.

Installing an OpenBSD package is simple:

# pkg_add squidpackage.tgz

If there are any missing dependencies then the package manager will tell you; I didn't have any problems with this one.

Now that Squid is installed we need to create a simple config. I prefer to strip out all of the comments so that I can see all of the non-default directives more clearly. I used the following basic config:

http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?
no_cache deny QUERY
cache_mem 64 MB
maximum_object_size_in_memory 32 KB
ipcache_size 2048
cache_dir ufs /var/squid/cache 1024 16 256
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern .        0    20%    4320
refresh_pattern windowsupdate.com/.*\.(cab|dll|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|dll|exe) 4320 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|dll|exe) 4320 100% 43200 reload-into-ims
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443 563    # https, snews
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
acl msnmime req_mime_type ^application/x-msn-messenger$
acl msngw url_regex -i gateway.dll
http_access deny msnmime
http_access deny msngw
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_reply_access allow all
icp_access allow all
visible_hostname squid.mydomain.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/squid/cache

In order to direct outgoing HTTP traffic via Squid, a few rules need to be added to /etc/pf.conf:

# rdr outgoing www requests to squid proxy
# rdr on $int_if proto tcp from any to any port www -> 127.0.0.1 port 3128
# pass incoming ports for squid proxy
# pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
# pass out on $ext_if inet proto tcp from any to any port www keep state

# MSN tcp block
# block out on $int_if proto tcp from any port 1863 to any

Then reload the PF rules:

# pfctl -f /etc/pf.conf

If we want Squid to be started automatically at boot then add this to /etc/rc.conf:

if [ -x /usr/local/sbin/squid ]; then
        echo -n ' squid';       /usr/local/sbin/squid
fi

The final step before starting Squid is to create the cache folders:

# squid -z

And now launch with:

# squid

Users running through this gateway should now be unable to use MSN Messenger while retaining access to Microsoft Web sites and Windows Update.

Have you found easier alternatives to blocking MSN Messenger?

16 comments
saxenak02
saxenak02

I must say the whole discussion is quite informative. But what I was looking for a solution that could allow only one msn login (company's ID) to work but stop employees to use there personal ones. As one of my client uses live messenger for business communication but want to stop his employees to be able to use it personally. Hasn't got ISA or ASA, they uses SBS 2K8. Is it possible to do this with some kind of software etc.

yman25
yman25

Every time you start a conversation using the new version of MSN Messenger, Microsoft shares a portion of the program's advertising revenue with some of the world's most effective organizations dedicated to social causes.

veerdee
veerdee

in my office port 443 blocked in order to prevent using SKYPE but OMG, it also make us can't browse https, Y!M, gmail and yahoomail. our IT staff still didn't get any solutions to solve this. the server use windows, Kerio firewall v6.21 and with no proxy. can somebody help our IT for HowTo block SKYPE but still can access Y!M and https urls. thanks. i@n (veerdee@gmail.com)

gsrt
gsrt

Perhaps you can help me. What I wont to block using squid is only de ?File Transfer? capability that has MSN but not the chat capability. I have made some test but I couldn?t achieve this. Is this possible? Thanks in advance. Tonga.

aizudin
aizudin

how about yahoo messenger?

paulr
paulr

Thanks for this info, I think I'll be putting it to use soon. The problem with using GP's to block msn messenger is it assumes #1 that people won't use aftermarket programs like trillian, and #2 that all computers are domain members. There's nothing to prevent someone from sitting there with their personal laptop talking away all day. Granted, there's also nothing to prevent them from using their phone for internet access and still leak corporate data, or even just screw around and waste time, but this is still helpful - for security as well as preventing distractions. I know where I am people are encouraged to use their personal computing power whenever they're willing - it's one less thing for the company to pay for. Several people bring in their own laptops frequently. Obviously the only way to control what they do is serer-side. At the end of the day though technology can still only do so much - you can always use VPN technology to connect to a insecure network, or use a terminal program - I myself use remote desktop to access my instant messaging computer remotely, as most networks don't block it, especially with it being on a nonstandard port. However blocking things through traditional methods does help make it obvious they're not tolerated, and make someone go through more effort to do what they want.

lpalermo
lpalermo

Seems like a lot of work to me, I find it much simpler to apply the local or group policy that prevents msn messenger from launching. A user can click on the short cut all they want and nothing will happen. Even better is not installing it on business network systems in the first place.

cmryan
cmryan

I'm running XP here and I've removed MSN Messenger completely using a batch file with the following lines; REM Remove MS Messenger from system startup. RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove Then I run GAIM as my messaging client as it will allow access to all IM servers. I've never had a problem with Windows update not working.

Justin Fielding
Justin Fielding

Yahoo Messenger would seem easier to block using only IP and port blocking. I've successfully blocked access to it with these firewall rules: table const { 216.155.193.128/27 , 216.155.193.160/28 , 216.155.193.176/29 , 216.155.193.184/30 } block return-rst in log quick on $ext_if inet proto tcp from { } to any flags S/SA block return-rst out log quick on $ext_if inet proto tcp from any to { } flags S/SA block in log quick on $ext_if inet proto udp from { } to any block out log quick on $ext_if inet proto udp from any to { } You could also use squid to block Yahoo Messenger. Just tail the squid log and see what passes through as you sign in. Adapt the squid config for MSN Messenger blocking to apply to what you see Yahoo using and bingo, blocked.

Justin Fielding
Justin Fielding

Do let me know how it works out for you. I've found it works very well for me.

lpalermo
lpalermo

It has to be said that with a properly managed network GP will also prevent users from making unauthorized software installs. To the second point and as stated in the previous post this can also be accomplished using local policies so the system doesn't have to be on a domain it just has to be managed correctly. I would also think, if the environment is such that users can actually bring in their own laptops and bang away then; 1) there is no requirement for a managed system or 2) the system is in need of management. Not to mention some workplace policies. If the company is encouraging the use of personal computers in the workplace as a cost saving measure then perhaps they should actually do a cost analysis as they may find it is costing more in productivity and even support. A well managed network environment can be set up to ensure that users have everything they require to accomplish their daily task requirements with out distraction or the ability to jeopardize system security and integrity. I have seen network resources wasted by users downloading music, applications, nude photos, documents/information?. all of which is irrelevant to their work. This is what one does on their own time on their own computer not on company time and resources. Nothing like running out of storage or, backup capacity because of someone?s music collection or their ?How to Restore? your vintage car manuals. This may be harsh but it is a part of effective management and network administration. At the end of the day technology can be managed and users can be prevented from configuring a VPN connection on their workstation without the need of blocking VPN access from the network. What a user can or can?t do, can be made clearly obvious through effective ?Acceptable Usage? policies governing the network, internet and email recourses of the workplace. It?s also a great way to avoid what can be serious liability issues as well.

jademartin120
jademartin120

This tool will allow you to check your list of deleted users into your MSN messenger. MSN Delete Checker will import your contact list and fetch deleted friends from this list. You need to enter correct MSN ID and correct password of your own MSN ID. This information will not store into our server, it will use to connect with MSN server. You can also change your password before using this tool, and after using MSN delete checker you can restore your password.

The Listed 'G MAN'
The Listed 'G MAN'

you may find GAIM may not contact the MSNM servers if the article is followed. Thats is the whole point.

tsandy
tsandy

How do you block msn using GP I managed to block it for a few small clients with the Linksys router but web messenger and such are still accessable. I would like to be able block from the Server side using GP. I am not running ISA at any of my client sites.

Justin Fielding
Justin Fielding

Where there is a will to bypass restrictions and sufficient knowledge is held by the users, there will always be a way. However we need to make every reasonable effort to ensure that policies are enforced and this is one way. As for using policies; that is one way. The problem is that not everyone runs a Windows domain. Local policies are a potential way of ensuring users can't run Messenger but as I'm sure you'll know there are numerous problems with software restriction policies and quite a few ways of bypassing them. Blocking network traffic removes the ability of users to bypass whatever policies you have put in place. To stop users accessing other gateways via VPN or using VNC to access a remote computer you can block all outgoing traffic (making exceptions for approved communications). At the end of the day there is more than one way to skin a cat. Depending on your particular environment one method may be more viable than another.

Editor's Picks