> Giampaolo, > > > Ok. I could try to cope with this by retrieving a "valid field" mask > along > > with the response: fields marked "valid" carry values shared by all > matches > > of the query, while the "not valid" ones are left undefined. The > actual > > implementation of the "p0f -0" queries would simply return the latest > > matching query. > > Of course, both this and the "common substring" methods offer the > neck to > > some ways to defeat any identification purpose... Another way (which, > > however, would probably need some "intervention" into the detecting > code) > > could be to retrieve the last entry in cache for which the greatest > traffic > > had been seen. This would probably better identify the source and > would > > require too much effort from a spammer to be defeated. > > What's your thoughts about? > > Depends on circumstances and on delays between mail reception and the > time it gets to a content filter. Also depends on time-to-live for > each cached entry. My decision was guided by saying that when there are > a couple of varieties of Windows behind a NAT and kept in the p0f > cache, > it suffices to know there is a some kind of Windows there and not a > Solaris for example. If there are both in the cache, it is better > to avoid making any decisions based on guessing.
Ok. Then I think that the "valid fields" field should work fine. Also, this way one may still get some info (like NAT distance, in example) which would actually be removed by p0f-analyzer.pl in case of inhomogeneous systems behind the NAT, right? Giampaolo > > Mark > > ----------------------------------------------------------------------- > -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVD > EV > _______________________________________________ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
