Re: [exim] OS Fingerprint Email

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: Kelley Reynolds, Exim Mailing List
Subject: Re: [exim] OS Fingerprint Email


--On 19 June 2006 08:44:29 -0400 Kelley Reynolds <kelley@???>
wrote:

> On Jun 19, 2006, at 5:44 AM, Ian Eiloart wrote:
>
>>
>>
>> --On 19 June 2006 10:23:38 +0100 Ian Eiloart <iane@???>
>> wrote:
>>
>>>
>>>
>>> --On 17 June 2006 19:18:14 -0400 Kelley Reynolds
>>> <kelley@???> wrote:
>>>
>>>> For those of you interested, I've outlined a method for OS
>>>> Fingerprinting E-mail using FreeBSD and PF .. the details can be
>>>> found
>>>> at
>>>>
>>>> http://blog.insidesystems.net/articles/2006/06/06/OS-Fingerprinting-
>>>> Email
>>>>
>>>
>>> Er, that's:
>>>
>> <http://blog.insidesystems.net/articles/2006/06/06/OS-
>> Fingerprinting-Email>
>
> Oo .. sorry about that. It wrapped in my MUA and I didn't catch it.
> Thanks for the correction.
>
>> And, it isn't terribly exciting. The most important fact here is
>> that you can't obtain a fingerprint for 70% of incoming mail, and
>> most of the rest identifies as from AIX hosts.
>
> Ack .. normally the article gets at least a "good use of glue" comment
> even if the information isn't something an Email Administrator cares
> about. One thing to explain about the "Unknown" fingerprints is that
> there were 4 MXs storing to that database and only one was
> fingerprinting. At the time, we didn't store which MX the mail went
> through so we couldn't filter on it so I left the data in. Clearly a
> mistake if that's a focal point .. maybe I'll revisit this topic in a
> future article and see if I can't get some results more useful.


OK, so does that suggest that you actually get a fingerprint every time?
Then the technique might be more useful. I'm still worried by the fact that
70-80% of the fingerprints say "AIX".

>> Oh, yes Contiki is an operating system <http://www.sics.se/~adam/
>> contiki/>
>
> Obviously Contiki is an operating system, that was intended as comic
> relief .. apparently not funny.
>
>> One question that the article looks at is whether much of our spam
>> comes from "networks of infected zombie Windows machines" but, it
>> doesn't seem to look at the question of whether the OS identified
>> is that of the originating host, or some ISP router or NAT host. I
>> don't know enough about routing to make a guess about that.
>
> All true. The main thing I was concerned about for this *proof of
> concept* was whether or not the information would be useful. As pointed
> out in the article, if something is statistically valid, it doesn't
> really matter what the information is so long as it's consistent. For
> example, if the AOL fingerprint and the OS/400 fingerprint are always
> entirely wrong, it doesn't matter as long as they are consistent and
> they send spam 97% of the time.
>
> To answer your other question, if you wanted to determine originating
> host IP, you'd have to do more work, but it's still largely possible
> (unless completely NATed, but that's not my specialty). Determine from
> headers if the mail is from the originating host and if so, done. If
> not, get the IP of the originating host and actively fingerprint it. Of
> course, that'll eat your resources alive, but it could be done offline
> and stored or done after the fact, etc, etc.
>
> Thanks again for correcting the URL.
>
> Kelley Reynolds
> President
> Inside Systems, Inc.
>
>




--
Ian Eiloart
IT Services, University of Sussex