Re: [exim] OS Fingerprint Email

Top Page
Delete this message
Reply to this message
Author: Kelley Reynolds
Date:  
To: Exim Mailing List
Subject: Re: [exim] OS Fingerprint Email
On Jun 19, 2006, at 5:44 AM, Ian Eiloart wrote:

>
>
> --On 19 June 2006 10:23:38 +0100 Ian Eiloart <iane@???>
> wrote:
>
>>
>>
>> --On 17 June 2006 19:18:14 -0400 Kelley Reynolds
>> <kelley@???> wrote:
>>
>>> For those of you interested, I've outlined a method for OS
>>> Fingerprinting E-mail using FreeBSD and PF .. the details can be
>>> found
>>> at
>>>
>>> http://blog.insidesystems.net/articles/2006/06/06/OS-Fingerprinting-
>>> Email
>>>
>>
>> Er, that's:
>>
> <http://blog.insidesystems.net/articles/2006/06/06/OS-
> Fingerprinting-Email>


Oo .. sorry about that. It wrapped in my MUA and I didn't catch it.
Thanks for the correction.

> And, it isn't terribly exciting. The most important fact here is
> that you can't obtain a fingerprint for 70% of incoming mail, and
> most of the rest identifies as from AIX hosts.


Ack .. normally the article gets at least a "good use of glue"
comment even if the information isn't something an Email
Administrator cares about. One thing to explain about the "Unknown"
fingerprints is that there were 4 MXs storing to that database and
only one was fingerprinting. At the time, we didn't store which MX
the mail went through so we couldn't filter on it so I left the data
in. Clearly a mistake if that's a focal point .. maybe I'll revisit
this topic in a future article and see if I can't get some results
more useful.

> Oh, yes Contiki is an operating system <http://www.sics.se/~adam/
> contiki/>


Obviously Contiki is an operating system, that was intended as comic
relief .. apparently not funny.

> One question that the article looks at is whether much of our spam
> comes from "networks of infected zombie Windows machines" but, it
> doesn't seem to look at the question of whether the OS identified
> is that of the originating host, or some ISP router or NAT host. I
> don't know enough about routing to make a guess about that.


All true. The main thing I was concerned about for this *proof of
concept* was whether or not the information would be useful. As
pointed out in the article, if something is statistically valid, it
doesn't really matter what the information is so long as it's
consistent. For example, if the AOL fingerprint and the OS/400
fingerprint are always entirely wrong, it doesn't matter as long as
they are consistent and they send spam 97% of the time.

To answer your other question, if you wanted to determine originating
host IP, you'd have to do more work, but it's still largely possible
(unless completely NATed, but that's not my specialty). Determine
from headers if the mail is from the originating host and if so,
done. If not, get the IP of the originating host and actively
fingerprint it. Of course, that'll eat your resources alive, but it
could be done offline and stored or done after the fact, etc, etc.

Thanks again for correcting the URL.

Kelley Reynolds
President
Inside Systems, Inc.