Mark Martinec wrote:
The most interesting part in my view is not the IP distance, but the type of OS, illustrated by the following table (derived from the same data as fig2):p0f OS guess ham : spam ----------------------------- Windows-XP 0.7 % : 99.3 % Windows-2000 5.8 % : 94.2 % UNKNOWN 16.5 % : 83.5 % Linux 58.8 % : 41.2 % Unix 80.3 % : 19.7 % (Unix+Linux 66.5 % : 33.5 %) Only 0.7% of all mail coming from Windows-XP hosts is ham!!! It is an ideal information to contribute two or three score points.
I'm not sure the ham hit rate from the Windows-XP category scales (to other installations) very well. The last time I looked into using p0f to fingerprint connecting hosts, last spring, I seem to recall that Windows XP and Windows 2003 share the same TCP/IP stack and fingerprint identically.
While it'd be nice to be score "Windows-XP" hosts harshly, there's a lot of mail coming from Windows Server 2003 hosts that would get hit.
I know for some of my systems 1:99 would be really low if Windows Server 2003 and XP are identified the same. 40:60 (and in some cases 80:20) would be closer to what I often see if I were to assume that all spam came from Windows XP hosts.
Maybe you don't receive much, if any, mail from Windows Server 2003 hosts? Daryl
