Re: [exim] exim and p0f - any suggestions?

W odpowiedzi na e-mail od: Chris Lightfoot otrzymany dnia 2006-11-26 20:55 :
> On Sun, Nov 26, 2006 at 07:48:21PM +0100, maciek@??? wrote:
>> I am about use p0f fingerprinting with my exim + amavisd-new + SA
>>
>> I want to use in exim acl external shell or perl script to take distance
>> and OS from p0f, then put with warn X-p0f header in incoming email and
>> with amavisd-new and SA score spam based on that header
>>
>> What do u think about that? Anyone tried this approach? What are
>> disadvantages and pros with that solution?
>
> I had a cursory look at this a few weeks ago. p0f has a
> daemon mode which can be queried over a UNIX socket, which
> would be a little more efficient than invoking a shell
> script (important if your transaction volume is high). I
> imagine that this can be driven with the ${readsocket
> expansion function but I haven't looked in detail. If not
> you'll need to write a little bit of perl.
>
> Propagating the information from p0f downstream to the
> spam filter is obviously the right way to use it, but I'm
> skeptical that it will give you any significant additional
> information.
>

i dont agree with you
if i put some informations from p0f and Dynastop together that will cut
a huge amount of spam from zombies

for example:

dynamic address from: Dynastop +
uptime + OS information + distance to my server from: p0f

can make a small but really useful difference in spamassassin scoring