Wolfgang, Loren,
> > real mail servers (those that deliver the ham part of mail) rarely ever
> > run XP but that this OS is the best candidate for creating a spam zombie
> Not completely unreasonable. XP is targeted within MS as a personal or
> very small company OS. The equivalent of a linux/unix system used by more
> than a single person would typically be some version of Server 2003. Which
> was probably identified in the stats as Windows 2000.
>
> I'd like to venture the suggestion that the percentage of spam from XP
> isn't necessarily an indication of inherent buggyness. It is more an
> indication that it is an OS for Clueless Noobs who haven't a clue about
> maintaining a system, avoiding a virus, or even able to tell if they have a
> viruis. Thes are the machines that turn into zombies.
I fully agree.
In this view the following two lines should be seen as well:
p0f OS guess ham : spam
Linux 58.8 % : 41.2 %
Unix 80.3 % : 19.7 %
Linux is used by masses (compared to other Unix OS types) because it is
considered to be easier to set up. Eventually this also means that less care
is invested in prevention of being used to propagate spam.
Still, a "score L_P0F_Unix -1.0" seems to be doing a good job here.
Daryl,
> I'm not sure the ham hit rate from the Windows-XP category scales (to
> other installations) very well. The last time I looked into using p0f
> to fingerprint connecting hosts, last spring, I seem to recall that
> Windows XP and Windows 2003 share the same TCP/IP stack and fingerprint
> identically.
>
> While it'd be nice to be score "Windows-XP" hosts harshly, there's a lot
> of mail coming from Windows Server 2003 hosts that would get hit.
There is indeed a handful of valid small sites classified by p0f as Windows XP
from which we do receive regular mail (well, newsletters and such, but still,
should be treated mostly as ham). I don't see adding few score points to them
much different than other (some quite arbitrary) rules - each rule tries to
have low FP rate, but it often is not zero. Only a collection of all rules has
merit.
> I know for some of my systems 1:99 would be really low if Windows Server
> 2003 and XP are identified the same. 40:60 (and in some cases 80:20)
> would be closer to what I often see if I were to assume that all spam
> came from Windows XP hosts.
> Maybe you don't receive much, if any, mail from Windows Server 2003 hosts?
I guess Windows Server 2003 is reported as Windows 2000, but I don't know.
Certainly a couple of very large sites are seen as Windows 2000.
In the UNKNOWN category there must be a mix of Windows and Unix hosts,
not sure what is unusual about them.
Mark
