Re: [exim] IPv6 capable p0f and geoip dlfunc available

Top Page
Delete this message
Reply to this message
Author: Janne Snabb
Date:  
To: Chris.Knadle
CC: exim-users
Subject: Re: [exim] IPv6 capable p0f and geoip dlfunc available
On 07/08/2012 06:06 AM, Chris Knadle wrote:
> Knowing the country of origin of an incoming email connection sounds
> interesting from an informational logging perspective. At one time I was
> scoring/blocking based on country of origin, but I found it caused more
> problems rather benefit once I started communicating more with people in
> the Debian project.


My best use case for GeoIP lookups is to use it in conjunction with
greylisting in a mail server of a small company which does business
only/mostly locally in a small country. Greylisting can be skipped for
their main market area (so that when a customer is on the phone and
sends over a document by e-mail there will no irritating delay in
receiving the message because of greylisting even though foreign e-mail
is delayed). This makes greylisting much more attractive option than
normally: it is still very effective in combating spam but the delivery
speed of legitimate e-mail is not adversely affected.

Some current statistics from my own mail server:

# grep X-GeoIP /var/log/exim4/rejectlog | sort | uniq -c | sort -rn
     23   X-GeoIP: BR
     19   X-GeoIP: CN
     11   X-GeoIP: PE
     11   X-GeoIP: AR
     10   X-GeoIP: IN
     10   X-GeoIP: CO
      8   X-GeoIP: RS
      8   X-GeoIP: PK
      5   X-GeoIP: VN
      5   X-GeoIP: MX
      5   X-GeoIP: KR
      5   X-GeoIP: ES
[..]


The list of countries at the top does not vary too much... I have no bad
feelings about throwing in a couple of "delay = 30s" to collectively
punish mail senders from the worst countries and to see if they timeout
faster than they ought to.

> Scoring or blocking based on OS sounds dangerous, but you probably meant
> this more as an example of one thing that is possible to do with it. p0f
> also sounds interesting from an informational logging perspective, for
> starters. The readme mentions it's possible for it to "detect illegal
> network hookups".


I give "Windows XP" a penalty on some mail servers, but do not outright
reject anything based on this.

The only significant legitimate mail source that I see identified as
Windows XP are some of Microsoft's outgoing servers. Other than that,
almost everything else I see here from "Windows XP" hosts is botnet
spam. Companies who have Windows based mail servers tend/ought to run
something else than XP...

Again some quick'n'dirty statistics from my own mail server:

# grep X-p0f-OS /var/log/exim4/rejectlog | sort | uniq -c | sort -rn
     95   X-p0f-OS: Windows XP
     64   X-p0f-OS: Windows 7 or 8
     13   X-p0f-OS: (unknown)
      6   X-p0f-OS: Windows NT kernel
      4   X-p0f-OS: Windows NT kernel 5.x
      2   X-p0f-OS: Linux 2.6.x
      2   X-p0f-OS: FreeBSD 8.x
      1   X-p0f-OS: Linux 2.4.x
      1   X-p0f-OS: Linux 2.2.x-3.x (barebone)


> Also sounds to me like it would be convenient to build these two Exim
> 'addons' into Debian packages, which would make them easier to install on
> Debian-based distros. Let me know if someone is already working on this,
> otherwise I might give it a shot as a way of checking these out. [I've
> built a few Debian packages and gotten them to work, although I haven't
> submitted any to try to get them into Debian proper yet for different
> reasons.]


I am not aware of any packaging efforts so far. Feel free to package
them if you like. I appreciate it. However there is one obstacle: Debian
has the old p0f version 2 whereas this dlfunc only works with the new
p0f version 3.


Best Regards,
--
Janne Snabb / EPIPE Communications
snabb@??? - http://epipe.com/