on Fri, Aug 11, 2006 at 09:38:46AM +0100, Peter Corlett wrote: > > On 10 Aug 2006, at 22:07, Barry Shein wrote: > [...] > >The vector for these has been almost purely Microsoft Windows. > > I wonder. From the point of view of a MX host (as opposed to a > customer-facing smarthost), would TCP fingerprinting to identify the > OS and apply a weighting to the spam score be a viable technique?
Yes - I had a quickie p0f/sendmail fingerprinting check working here for a while; it was primarily amusing to watch the various versions of Windows scroll by as I watched the zombies attack, but given that the occasional legit mail server runs Exchange, and given that I already knew which hosts were zombies (generic rDNS, sending to traps, using laughably broken heuristics to try to "defeat" my "filters", etc.) it turned out to be somewhat less than useful. Just amusing. Now that my filters have a scoring mechanism, maybe I'll go back and turn it back on and see how it works. The problem is that I already see enough legit mail hit the quarantine due to being HTML/multipart, suspected of being sent "direct-to-MX" due to Exchange's bizarre habit of not providing an audit trail via Received headers, etc. Knowing that it's a Windows box doing the sending is likely to be more of a reason to treat it more lightly, on the assumption that it's laughably broken but probably mail some employee wants/needs, than the alternative. IOW, if you're already ugly and smell funny, it doesn't help to know that it's also because your mother wears combat boots. The biggest problem with email isn't that it doesn't work; the biggest problem with email is that there are so many vendors who simply refuse to implement SMTP properly. -- hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/ antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/ rambling, amusements, edifications and suchlike: http://interrupt-driven.com/