The feature, known as the messenger service, typically lets a network administrator send warnings to users when, for example, a server is scheduled to go down for maintenance. Now some advertisers are using it to send bulk messages to anyone connected to the Internet with an accessible address.
"Spammers are blindly sending their advertisements by randomly picking a series of Internet addresses," said Charmaine Gravning, product manager for Windows at Microsoft. "On computers without a firewall, a little messenger window pops up."
The messenger feature, not to be confused with Microsoft's instant messaging applications, can use many different protocols to send a single message, according to Microsoft. The intrusive messages only appear on computers running Windows 95, 98, NT, 2000 and XP and that are directly connected to the Internet via a valid address; Windows systems behind a firewall or attached to a router that links multiple computers to a single Internet address will be unaffected.
"The feature can be used to notify a user when a printer job fails," said Lawrence Baldwin, president of myNetWatchman.com, a company that monitors incidents on the Internet through a network of sensors set up by volunteers. "It was never the intention to let someone halfway across the world send messages that pop up on your screen."
Free utilities that enable people to exchange messages with each other using the messenger service have been available on the Internet for a while, but one enterprising company has recently started selling such software.
DirectAdvertiser.com, a U.S.-based firm registered in Romania, has created an application that lets users send advertisements via the messenger channel to anyone whose computer is set up to receive messenger-service notes. The program costs $700 and has, in two months, already sold more than 200 copies, company founder Zoltan Kovacs said in an interview.
"You always get some people who don't like the product," Kovacs said, referring to the moderate amount of critical mail he has received. "But many more are interested in the product."
Kovacs stressed in the interview and on his Web site that the application is not for sending spam. However, a testimonial on the Web site says, "If you've been a bulk e-mailer like myself, you owe it to yourself to try DirectAdvertiser."
In fact, DirectAdvertiser may be the reason more security experts have become aware of the abuse of the Windows messenger service. Students at James Madison University, for example, reported that the technique has been used to cause an ad selling university diplomas to pop up on their computer screens, according to Wired News, which first reported the abuses. Based on interviews with users of the software, MyNetWatchman.com's Baldwin estimates that spammers can send more than 100,000 messages in an hour.
"This is just going to be a whole other delivery vehicle for spam," Baldwin said, adding that the fact the service is turned on by default is another indication that Windows security has a way to go. "But welcome to Microsoft," he said.
Since a January memo sent by Microsoft chairman Bill Gates turned the company's focus to security, the software giant has been turning off unneeded services that could compromise security. While Microsoft's Gravning stressed that the firewall that ships with Windows XP disables the messenger service by default, she admitted that turning the messenger on in default installations is mainly a matter of convenience.
"Is this something that we should look at?" Gravning said. "I think that is a good question, and (I) will find out if there is a reason that we have it turned on."