Mark Martinec wrote:
The most interesting part in my view is not the IP distance, but the
type of OS, illustrated by the following table (derived from the same
data as fig2):
p0f OS guess ham : spam
-----------------------------
Windows-XP 0.7 % : 99.3 %
Windows-2000 5.8 % : 94.2 %
UNKNOWN 16.5 % : 83.5 %
Linux 58.8 % : 41.2 %
Unix 80.3 % : 19.7 %
(Unix+Linux 66.5 % : 33.5 %)
Only 0.7% of all mail coming from Windows-XP hosts is ham!!!
It is an ideal information to contribute two or three score points.
I'm not sure the ham hit rate from the Windows-XP category scales (to
other installations) very well. The last time I looked into using p0f
to fingerprint connecting hosts, last spring, I seem to recall that
Windows XP and Windows 2003 share the same TCP/IP stack and fingerprint
identically.
While it'd be nice to be score "Windows-XP" hosts harshly, there's a lot
of mail coming from Windows Server 2003 hosts that would get hit.
I know for some of my systems 1:99 would be really low if Windows Server
2003 and XP are identified the same. 40:60 (and in some cases 80:20)
would be closer to what I often see if I were to assume that all spam
came from Windows XP hosts.
Maybe you don't receive much, if any, mail from Windows Server 2003 hosts?
Daryl