 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Ward Vandewege wrote:
> I've been using passive TCP fingerprinting by means of p0f
> (http://lcamtuf.coredump.cx/p0f.shtml) for quite a while now in my mail
> stream.
Neat. So it looks like p0f sniffs the inbound TCP connections using
libpcap, compares various packet attributes like timestamps, flags, and
MTU to a signature database, and then declares a probable OS and link type.
By default, its findings get written to STDOUT, but you can also log
them along with the packet data.
If you want to use this information in an application (like an MTA or
SMTP proxy), p0f caches information about recent connections in memory,
and provides a UNIX Domain socket interface that accepts queries
specifying a client address and port, and will return the fingerprint
info that matches that client connection.
Another option is to use a firewall that integrates p0f. Available on
OpenBSD, or patches available for Linux netfilter.
> I apply antispam rules that are much more strict when I see the
> machine on the other side of the TCP connection runs Windows.
What are you using to integrate p0f with your MTA?
What specific rules are you using?
> p0f is not perfect but it's pretty good at identifying the OS on the
> other side of the connection.
In a few minutes of testing, the majority of the connections have been
classified as UNKNOWN.
> Doing this has turned out to be very, very effective against spam without
> affecting mail servers that run a serious OS.
>
> In my experience, 95+% of all spam comes from compromised Windows machines
> ('zombies'). Punishing Windows machines that try to deliver mail to your
> servers puts the blame right where it belongs, with that crappy operating
> system.
Makes sense. It seems like a good technique to combine with selective
gray listing. If it is a legit sender that you've incorrectly flagged as
a likely zombie, it'll get unblocked in a few days.
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Discuss mailing list
[hidden email]
http://lists.blu.org/mailman/listinfo/discuss
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
