fingerprinting and spam ID (was: Re: ISP wants to stop outgoing web based spam)

• From: Steven Champeon
• Date: Fri Aug 11 11:56:22 2006

on Fri, Aug 11, 2006 at 09:38:46AM +0100, Peter Corlett wrote:
> 
> On 10 Aug 2006, at 22:07, Barry Shein wrote:
> [...]
> >The vector for these has been almost purely Microsoft Windows.
> 
> I wonder. From the point of view of a MX host (as opposed to a  
> customer-facing smarthost), would TCP fingerprinting to identify the  
> OS and apply a weighting to the spam score be a viable technique?

Yes - I had a quickie p0f/sendmail fingerprinting check working here for
a while; it was primarily amusing to watch the various versions of
Windows scroll by as I watched the zombies attack, but given that the
occasional legit mail server runs Exchange, and given that I already
knew which hosts were zombies (generic rDNS, sending to traps, using
laughably broken heuristics to try to "defeat" my "filters", etc.) it
turned out to be somewhat less than useful. Just amusing.

Now that my filters have a scoring mechanism, maybe I'll go back and
turn it back on and see how it works. The problem is that I already see
enough legit mail hit the quarantine due to being HTML/multipart,
suspected of being sent "direct-to-MX" due to Exchange's bizarre habit
of not providing an audit trail via Received headers, etc. Knowing that
it's a Windows box doing the sending is likely to be more of a reason to
treat it more lightly, on the assumption that it's laughably broken but
probably mail some employee wants/needs, than the alternative. IOW, if
you're already ugly and smell funny, it doesn't help to know that it's
also because your mother wears combat boots.

The biggest problem with email isn't that it doesn't work; the biggest
problem with email is that there are so many vendors who simply refuse
to implement SMTP properly.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/
rambling, amusements, edifications and suchlike: http://interrupt-driven.com/

• Follow-Ups:
  • Re: fingerprinting and spam ID (was: Re: ISP wants to stop outgoing web based spam) Ken Simpson

• References:
  • Re: ISP wants to stop outgoing web based spam Ken Simpson
  • Re: ISP wants to stop outgoing web based spam Joe Abley
  • Re: ISP wants to stop outgoing web based spam Ken Simpson
  • Re: ISP wants to stop outgoing web based spam Hank Nussbacher
  • Re: ISP wants to stop outgoing web based spam Sean Donelan
  • Re: ISP wants to stop outgoing web based spam Suresh Ramasubramanian
  • Re: ISP wants to stop outgoing web based spam Sean Donelan
  • Re: ISP wants to stop outgoing web based spam Suresh Ramasubramanian
  • Re: ISP wants to stop outgoing web based spam Barry Shein
  • Re: ISP wants to stop outgoing web based spam Peter Corlett

• Prev by Date: Re: SORBS Contact
• Next by Date: Re: SORBS Contact
• Date Index
• Thread Index
• Author Index
• Historical