Re: [exim] Use of P0f

Phil Pennock wrote:
> On 2009-05-13 at 23:16 +0800, W B Hacker wrote:
>> In another thread covering greylisting, Mike Cardwell posted that greylisting
>> could be skipped when (among other entries):
>>
>>> 2.) If P0F detects the connecting host to be non-Windows (Used P0F for this)
>> Which sounded interesting, so....
>>
>> Using p0f with the barest of directives:
>
> An alternative which I've been using since 2008-04-27 is to use the pf
> packet filter (I run FreeBSD) to detect the OS and redirect connections
> from Windows to port 26 and have Exim use local port stuff in exim.conf.
> More lightweight than Perl (which is somewhat more heavyweight than
> dnsdb).

*snip* (implementation details, et al)

> Looking in my Spam folder (stuff which gets past RBLs), 28% of the mails
> therein have the X-Filter-BadOS: header.
>
> Regards,
> -Phil
>

If it gets that far, a string-match on the almost (but not quite) ubiquitous
'maker's name' of that particular 'BadOS' in headers will find them with the
least coding.

I once supported an account that rejected traffic on that basis - spam or
otherwise - on the grounds that anyone who had chosen that OS could not possibly
have anything of relevance to convey to that addressee. Think 'ABM' interest
team, and one supremely disinterested in arguing with the hag-ridden.

Can't claim it is necessarily lighter overall at doing that, but at least needs
neither perl nor packet handling externals.

But p0f has turned up something I had not expected - port 25 entirely aside,
nearly 80% of the break-in attempts are coming off Linux boxen and mostly to
port 22, very few from WinBoxen - on any port.

Looks to me as if Linux has indeed won 'market share' - but not where we might
have most wished it to have appeared....

:-(

Bill