A Better Title

This part is a continuation from where I left off…

So right now we know how MSN Messenger talks to the MSN server, and that every contact in your MSN Messenger contact list has four attributes attached to them, namely:

• Reverse List (RL) - Whether this contact has you in his/her contact list.
• Block List (BL) - Whether you are blocking this contact, they won’t be able to see you when you’re online.
• Allow List (AL) - Whether you are allowing this contact to see you when you’re online.
• Forward List (FL) - Whether you have this contact in your contact list.

We also know that these attributes are sent as the contact list in your computer is being synchronised with the one in the MSN server, as part of the standard MSN protocol. We also know that these attributes can be checked manually by looking at various locations in MSN Messenger.

If you don’t understand any of these, I suggest that you take a look at How Blockoo Works (Part 1) - How MSN Talks and Contact Lists.

To continue with the analysis, we need to perform some observations when using Blockoo.

.

Observation 1: You’ll get disconnected

If you have ever tried connecting to MSN on two different computers, you’ll notice that as you connect on the second computer, you’ll get disconnected on the first computer.

The exact same thing happens the moment you give your login details and click “Get List” on Blockoo. This is a very big clue that Blockoo has connected to MSN network using your account. In order to connect to the MSN network, they have to make use of the standard MSN protocol.

.

Observation 2: Your own BL is not stored

It is easy to assume that Blockoo stores all the contacts in your block list (BL), and then use it in reverse when someone you block uses Blockoo.

To illustrate the previous sentence, let’s take a look at this example: A blocks B, thus B is in A’s BL. A uses Blockoo, and Blockoo stores the information that B is in A’s BL. The next time B uses Blockoo, Blockoo reports that A has blocked B.

However, this is clearly not the case. In my Gorilla vs. Yahoo analysis, it was evident that Blockoo managed to detect that Yahoo has blocked Gorilla, despite the fact that Yahoo has never used Blockoo before.

It is clear that whatever method used by Blockoo, it only involves the contact list of the person using Blockoo at that moment.

In other words, whatever result that Blockoo churns out, it has to be obtained from the four attributes that I mentioned earlier.

.

Observation 3: The source says it all

At this stage, I discovered that Blockoo’s author has released part of their source code.

The source code snippet suggests that the four attributes are indeed being used, however it stops short at that. There is no further information on how the four attributes are being used.

.

Analysis

With these observations, we can proceed with the analysis.

Out of the four attributes involved (RL, BL, AL, and FL), two of them (BL and AL) are clearly not relevant, because you want to know who blocks you and not who you are blocking. Therefore, we are left only with two attributes to consider: RL (Reverse List), and FL (Forward List).

In the Gorilla vs. Yahoo analysis, I had already mentioned that the contact must not have you on his/her contact list to be detected as “blocking/having deleted” you. Therefore, we can conclude that the first condition is the RL attribute must be 0, i.e. the person doesn’t have you on his/her contact list.

On the other hand, the person must be in your contact list. This is presumably because if you have deleted the contact, chances are you won’t bother whether he/she is blocking/has deleted you. Therefore, the second condition is the FL attribute must be 1, i.e. you have the contact in your own contact list.

Armed with these information, it is quite straightforward to construct a program to verify that the assumptions are correct.

Using Microsoft Visual C#, I created a quick program to check if any of your contacts doesn’t have you in his/her contact list, using the assumptions that I have mentioned so far. The result is then compared with Blockoo. As expected, and as far as I have tested, the results are exactly the same as what Blockoo churns out.

If you’re interested, you can download the program (6 KB), and the source code (15 KB). Please refer to the disclaimer below before downloading any of the files.

.

Discussion

Understanding how Blockoo works is essential in deciding whether Blockoo can be trusted. From what I have understood, the method used by Blockoo is no secret; it is exactly the same method used by MSN Messenger when you connect to the MSN network. Anyone with some programming background should be able to replicate the same functionality that Blockoo offers.

Barring the facts that Blockoo used to spam your contacts, and that it serves misleading adult advertisements, the only things that we should be concerned are the following:

1. Is it true that Blockoo doesn’t store your password? Blockoo claims that it doesn’t, but how do we know for sure? There is no way to tell unless you are the author. Even if the author decides to make it open source, how do you know that the code being shown is exactly the same as the one being used?
2. Blockoo does store your contact list. Blockoo claims that this is to ensure that the next time you use their service, you will know who has just blocked you since the last time you checked.
3. Your password is sent in plain text, which is prone to network sniffers. You do have the option to use the secure version of Blockoo, but how is the connection from Blockoo to MSN made? Is it through another secure connection or normal HTTP (unsecured; i.e. your password is sent as plain text)? Note that the MSN protocol caters for both.

So after considering all these, would you use Blockoo? Do consider and decide for yourself.

.

Disclaimer

This entire analysis is done purely for educational purpose. Like many of the commenters have mentioned, you shouldn’t be concerned too much of who are blocking/deleting you. After all, chances are you are not that close to these people anyway. If they are your friends, they wouldn’t be blocking/deleting you anyway.

Nevertheless, I do admit that there are uses of knowing who doesn’t have you in his/her contact list. If you are like me, who easily forgets who some of the people in your contact list are, you may appreciate knowing that the person doesn’t have you in his/her contact list, knowing that you can delete the person safely.

In no way am I related to Blockoo or MSN.

The MSN Contact List Checker program is provided as is. I am not responsible for any damages that it may cause, directly or indirectly, to your PC, yourself, your house, your spouse, your girlfriend/boyfriend, or anything for that matter.

In the program, the connection will be made directly from your computer to the MSN server, and the password will only be sent over SSL (secured channel) to the MSN server for authentication. They will not be sent anywhere else, not to me, nor to my server. This is exactly the same mechanism that MSN Messenger uses to log you on to the network.

If you are worried, you can check the source code and compile it on your own (you will need Microsoft Visual C# 2005 [the Express Edition is free for use] or any compatible compiler).

Update: Oh yes, and you WILL get disconnected from MSN when you use the program. This is because the program has to fetch the contact list, and to do so, it needs to connect to MSN using your account. Unfortunately, there is no known workaround for this.

This entry was posted on Thursday, July 5th, 2007 at 2:12 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.