Re: OS fingerprints vs spam

[Justin Mason <jm...@jmason.org>]

Andrzej Adam Filip writes:
> Mariusz Kozlowski <m....@tuxland.pl> writes:
> > I run some simple tests on OS fingerprinting vs spam sources. Then
> > Gary Robinsons measures (degree of belief) and token logic was
> > applied. The  results vary from server to server but the same pattern
> > is seen in many  places. You will find more detailed infomation here:
> >
> > http://aisk.tuxland.pl/os-fp-vs-spam-src.html
> >
> > I just thought you could use p0f directly in spamassassin to help
> > defeat worms and botnets. p0f provides nice query cache interface so
> > if the cache is big  enough you can ask for interesting connection in
> > every moment of the session  or even when it is already closed. That
> > probably gives you some flexibility here.
> 
> IMHO the best way would be to make MTA add special "p0f header".
> 
>   X-p0f-_hostname_: _p0f_test_result_
> 
> AFAIK it would allow spamassassin to use the data in Bayes and would be
> special tests.

Yep, that's correct!

> Making spamassassin access p0f cache directly makes (IMHO) sence only if
> spamassassin is deployed *during* SMTP session.

Yep -- that often isn't the case, and headers provide a good way
to record metadata for later analysis by SpamAssassin.

> > Anyway ... if you think it's useless then sorry for the noise ;-)
> 
> IMHO it is interesting (even if "mostly as expected") and worth to be
> *tested* in practice :-)

The use of Robinson's work is a good idea.  It's certainly not
useless, it's pretty interesting data.

if I recall correctly, Mark Martinec investigated OS-fingerprinting
too, recently...

> BTW it would be interesting to check corellation of p0f test results
> with dynamic_ip/generic_ip tests.
> 
> URL(s):
> * http://lcamtuf.coredump.cx/p0f.shtml
>   p0f site
>   [ p0f is available as debian package ]

--j.

Re: OS fingerprints vs spam

[Stuart Johnston <st...@ebby.com>]

Justin Mason wrote:
> Andrzej Adam Filip writes:
>> Mariusz Kozlowski <m....@tuxland.pl> writes:
>>> I run some simple tests on OS fingerprinting vs spam sources. Then
>>> Gary Robinsons measures (degree of belief) and token logic was
>>> applied. The  results vary from server to server but the same pattern
>>> is seen in many  places. You will find more detailed infomation here:
>>>
>>> http://aisk.tuxland.pl/os-fp-vs-spam-src.html
>>>
>>> I just thought you could use p0f directly in spamassassin to help
>>> defeat worms and botnets. p0f provides nice query cache interface so
>>> if the cache is big  enough you can ask for interesting connection in
>>> every moment of the session  or even when it is already closed. That
>>> probably gives you some flexibility here.
>> IMHO the best way would be to make MTA add special "p0f header".
>>
>>   X-p0f-_hostname_: _p0f_test_result_
>>
>> AFAIK it would allow spamassassin to use the data in Bayes and would be
>> special tests.
> 
> Yep, that's correct!
> 
>> Making spamassassin access p0f cache directly makes (IMHO) sence only if
>> spamassassin is deployed *during* SMTP session.
> 
> Yep -- that often isn't the case, and headers provide a good way
> to record metadata for later analysis by SpamAssassin.
> 
>>> Anyway ... if you think it's useless then sorry for the noise ;-)
>> IMHO it is interesting (even if "mostly as expected") and worth to be
>> *tested* in practice :-)
> 
> The use of Robinson's work is a good idea.  It's certainly not
> useless, it's pretty interesting data.
> 
> if I recall correctly, Mark Martinec investigated OS-fingerprinting
> too, recently...

Yes, recent versions of amavisd-new support p0f and can add headers for SA to process. 
Unfortunately, I was unable to get p0f to work behind my firewall so I don't have any direct experience.