Re: OS fingerprints vs spam [other p0f guesses: distance]

[Andrzej Adam Filip <an...@xl.wp.pl>]

Stuart Johnston <st...@ebby.com> writes:

> Andrzej Adam Filip wrote:
>> Mariusz Kozlowski <m....@tuxland.pl> writes:
>>>         I run some simple tests on OS fingerprinting vs spam
>>> sources. Then Gary Robinsons measures (degree of belief) and token
>>> logic was applied. The results vary from server to server but the
>>> same pattern is seen in many places. You will find more detailed
>>> infomation here:
>>>
>>> http://aisk.tuxland.pl/os-fp-vs-spam-src.html
>>>
>>> I just thought you could use p0f directly in spamassassin to help
>>> defeat worms and botnets. p0f provides nice query cache interface
>>> so if the cache is big enough you can ask for interesting
>>> connection in every moment of the session or even when it is
>>> already closed. That probably gives you some flexibility here.
>>> [...]
>>
>> [ Because Linux "degree of belief" looks worse than expected (by me)]
>> [ *especially on host "A"* ]
>>
>> Have anybody tried to use other measures provided by p0f?
>> e.g.:
>> 1) distance [number of IP hops]
>
> Here's a graph provided by Mark that compares IP distance to spam score:
> http://www.ijs.si/software/amavisd/fig1.gif
>
> Certainly not as clear a separation as with OS.

At first glance it *may* indicate:
* mostly ham  on distances below 12
* mostly spam on distances above 26
* mixed results in remaning area

-- 
[pl2en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl