Re: [exim] Zombie detection

Top Page
Delete this message
Reply to this message
Author: Mike Cardwell
Date:  
To: Exim Users List
Subject: Re: [exim] Zombie detection
W B Hacker wrote:

>> BTW, if a win-zombie is behind a NAT in a DSL-modem (with embedded
>> Linux inside), what p0f shows?


I meant to reply to this, but I forgot. p0f should still detect Windows
in that case for most NAT devices, except for odd cases where those NAT
devices some how mangle the packets they're forwarding

http://www.stearns.org/p0f/README

"Bypassing a firewall - p0f can "see thru" most NAT devices, packet
firewalls, etc."

> The default will (usually) detect the NAT'ing - and display it, even tries to
> tell if it is in ITE (ex: ethernet modem) or separate (just'NAT') along with
> hop-count as 'distance':
>
> (all ports...)
>
> 93.80.234.42:3378 - Windows 2000 SP4, XP SP1+
>    -> 203.194.153.81:25 (distance 21, link: (Google/AOL))
> 123.239.24.34:2574 - Windows 2000 SP2+, XP SP1+ (seldom 98)
>    -> 203.194.153.81:25 (distance 16, link: ethernet/modem)

>
> More than good enough for my needs, though I am still puzzled that it fails to
> detect all connections.


It doesn't provide results for me for around 8% of the connections. I'm
not sure if that's because it doesn't detect the connection, or if it
simply doesn't have a matching signature:

Connections: 6716
FreeBSD: accept:5, reject:9
Linux: accept:318, reject:139
MacOS: accept:2, reject:19
NetBSD: reject:2
Novell: reject:1
Solaris: accept:36, reject:147
Unknown: accept:475, reject:107
Windows: accept:30, reject:5426

There doesn't seem to be a strong correlation between the OS and the
spamminess of the message, apart from when Windows is the connecting OS.
Only 1 in 180 emails from a Windows host was accepted by my email system.

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)