Re: [exim] Use of P0f

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: exim users
Subject: Re: [exim] Use of P0f
W B Hacker wrote:

> ACK. The initial test box was so lightly loaded some of the traffic was messages
> I sent it just so I didn't have to wait 20 minutes to capture something...
>
> And *those* were the ones most often missed-out. Given they had traversed under
> 20' of CAT5E @ 100 BT one hop of decent switch fabric, I'm not too fussed.
>
> OTOH, I'm watching P0f from an ssh session, no file-writes or other manipulation
> involved.


I turned my OS logging back on a short while ago. I have an old script
to get some related stats:

========================================================================
root@haven:/etc/exim4/scripts# perl os_stats.pl
Connections: 147

Linux: accept:17, reject:1
Solaris: accept:2, reject:4
Unknown: accept:10, reject:1
Windows: reject:112
========================================================================

"Connections" isn't quite accurate; I don't log the OS until the DATA
phase is reached. The above stats represent how many emails were
accepted/rejected per operating system at the DATA phase.

If you were doing straight greylisting for everything, you would have
delayed:

29 hams
118 spams

If you changed it so that machines IDd as non-Windows weren't greylisted
you'd have delayed:

10 hams
112 spams

Ie, you delayed only a third the number of legitimate emails.

As I said before, you can safely reduce the number of greylisted
messages further if you assume that hosts using encryption or the SIZE
extension aren't zombies.

Also, (prompted by a message on exim-dev earlier today), I bet (although
have nothing to back it up), that no zombie software supports the
8BITMIME extension. Ie, if you turn "accept_8bitmime" on in Exim, I bet
no zombie software sends a "mail from" formatted like this:

MAIL FROM:<> BODY=8BITMIME

So in acl_smtp_mail:

${if match{$smtp_command}{\N BODY=8BITMIME\N}}

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)