 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Yup! And Michal Zalewski is the authof of p0f :-). I highly encourage
you to pick up his book. He works for google now doing super secret
squirrel work. Your idea is a good one. However, as with any counter
measure, I have numerous ways of defeating your p0f spam filter. Most
people won't care. enough though and you drop the majority of bad
traffic. That's good. You may combine p0f with active network
manipulation to get even better results, such as witholding certain
packets for predefined time periods, asking for duplicate acks, or
using obscure tcp options in order to identify the remote network
stack. Once you have that in place, its hard to fuck with you :-P
On 6/28/08, Ward Vandewege <[hidden email]> wrote:
> On Sat, Jun 28, 2008 at 11:55:42AM -0400, Kristian Erik Hermansen wrote:
>> On Sat, Jun 28, 2008 at 6:15 AM, Scott R. Ehrlich <[hidden email]> wrote:
>> > I ask because some web sites refuse to accept a connection from a
>> > non-Windows source, and wine has the ability to fool.
>>
>> I question your analysis that web servers are able to discriminate
>> your OS. A trick known for a while, but detailed in Michal Zalewski's
>> book Silence on the Wire, is to analyze the browser object requests
>> temporaly. You can fingerprint the remote browser using this method
>> even if the user thinks he is savvy and alters the AGENT headers.
>> Combine that with TCP Timestamps, and yes, you can fairly well
>> determine he OS. But I don't know of any commercial websites that
>> would do this...
>
> It's easy to do, and it's entirely invisible.
>
> I've been using passive TCP fingerprinting by means of p0f
> (http://lcamtuf.coredump.cx/p0f.shtml) for quite a while now in my mail
> stream. I apply antispam rules that are much more strict when I see the
> machine on the other side of the TCP connection runs Windows. p0f is not
> perfect but it's pretty good at identifying the OS on the other side of the
> connection. It scales very well - p0f is very lightweight.
>
> Doing this has turned out to be very, very effective against spam without
> affecting mail servers that run a serious OS.
>
> In my experience, 95+% of all spam comes from compromised Windows machines
> ('zombies'). Punishing Windows machines that try to deliver mail to your
> servers puts the blame right where it belongs, with that crappy operating
> system.
>
> Thanks,
> Ward.
>
> --
> Pong.be -( "In my opinion M$ is a lot better at making money than
> )-
> Virtual hosting -( it is at making good operating systems." -- Linus
> )-
> http://pong.be -( Torvalds
> )-
> GnuPG public key: http://pgp.mit.edu
>
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
