On 07/08/2012 06:06 AM, Chris Knadle wrote:
> Knowing the country of origin of an incoming email connection sounds
> interesting from an informational logging perspective. At one time I was
> scoring/blocking based on country of origin, but I found it caused more
> problems rather benefit once I started communicating more with people in
> the Debian project.
My best use case for GeoIP lookups is to use it in conjunction with
greylisting in a mail server of a small company which does business
only/mostly locally in a small country. Greylisting can be skipped for
their main market area (so that when a customer is on the phone and
sends over a document by e-mail there will no irritating delay in
receiving the message because of greylisting even though foreign e-mail
is delayed). This makes greylisting much more attractive option than
normally: it is still very effective in combating spam but the delivery
speed of legitimate e-mail is not adversely affected.
Some current statistics from my own mail server:
# grep X-GeoIP /var/log/exim4/rejectlog | sort | uniq -c | sort -rn
23 X-GeoIP: BR
19 X-GeoIP: CN
11 X-GeoIP: PE
11 X-GeoIP: AR
10 X-GeoIP: IN
10 X-GeoIP: CO
8 X-GeoIP: RS
8 X-GeoIP: PK
5 X-GeoIP: VN
5 X-GeoIP: MX
5 X-GeoIP: KR
5 X-GeoIP: ES
[..]
The list of countries at the top does not vary too much... I have no bad
feelings about throwing in a couple of "delay = 30s" to collectively
punish mail senders from the worst countries and to see if they timeout
faster than they ought to.
> Scoring or blocking based on OS sounds dangerous, but you probably meant
> this more as an example of one thing that is possible to do with it. p0f
> also sounds interesting from an informational logging perspective, for
> starters. The readme mentions it's possible for it to "detect illegal
> network hookups".
I give "Windows XP" a penalty on some mail servers, but do not outright
reject anything based on this.
The only significant legitimate mail source that I see identified as
Windows XP are some of Microsoft's outgoing servers. Other than that,
almost everything else I see here from "Windows XP" hosts is botnet
spam. Companies who have Windows based mail servers tend/ought to run
something else than XP...
Again some quick'n'dirty statistics from my own mail server:
# grep X-p0f-OS /var/log/exim4/rejectlog | sort | uniq -c | sort -rn
95 X-p0f-OS: Windows XP
64 X-p0f-OS: Windows 7 or 8
13 X-p0f-OS: (unknown)
6 X-p0f-OS: Windows NT kernel
4 X-p0f-OS: Windows NT kernel 5.x
2 X-p0f-OS: Linux 2.6.x
2 X-p0f-OS: FreeBSD 8.x
1 X-p0f-OS: Linux 2.4.x
1 X-p0f-OS: Linux 2.2.x-3.x (barebone)
> Also sounds to me like it would be convenient to build these two Exim
> 'addons' into Debian packages, which would make them easier to install on
> Debian-based distros. Let me know if someone is already working on this,
> otherwise I might give it a shot as a way of checking these out. [I've
> built a few Debian packages and gotten them to work, although I haven't
> submitted any to try to get them into Debian proper yet for different
> reasons.]
I am not aware of any packaging efforts so far. Feel free to package
them if you like. I appreciate it. However there is one obstacle: Debian
has the old p0f version 2 whereas this dlfunc only works with the new
p0f version 3.
Best Regards,
--
Janne Snabb / EPIPE Communications
snabb@??? -
http://epipe.com/
