Renaud Allard wrote: > p0f isn't really a solution, just because windows tcp/ip stack is so > messy that you cannot recognize or really differentiate versions. The > only think you could tell is if it is a windows machine or not. Which is > obviously not a good test.
This is digressing to mere noise. A reasonably well-configured mail server can be on any OS. So, too a badly-configured one. IF/AS/WHEN a 'correspondent' arrives via properly-implemented smtp protocols, with zero protocol violations, or 'few that are critical'.... just handle the (compliant) traffic offered... If NOT... NOT. Who cares what else that box is doing? Spam/ham is a different issue. What next? The snail-mail postman should show up with proof he locked the windows in his house when he left for work that morning, fed his dog, and doesn't heat with gas? Bill > > Also ports 445,135, etc are very often firewalled by ISP themselves, so > you obviously couldn't connect to most senders. I once did a script that > used samba to send a shutdown command to windows machines connecting to > my exim using administrator as the login and a null password (as only a > very badly configured machine should be like that) and putting a delay > line in exim afterwards. But I couldn't connect to many hosts due to > their ISP blocking ports. > > A better idea would be connecting to their port 25 when they connect to > yours, try to send a fake mail to your domain (about the way exim does > it with callouts). And if they accept, then, they have an openrelay and > you can start blacklisting. But this would also lead to some (probably > very few) false positives. > > As of the moral or legal issues, I don't care, if they run a mail > server, they should expect connections to it. And if they are sending me > spam, I have at least the right to test them, and I could myself pursue > them for sending me spam. After all exim also does this kind of stuff > with callouts, even when an IP that has nothing to do with the > maintainer of the MX tries to send a spoofed mail. > > It is a matter of fact that many (most?) mailservers are badly > configured and you cannot use a single test to classify them all. > > > Richard Clayton <[EMAIL PROTECTED]> said, in message > [EMAIL PROTECTED]: > > > >>>>I was thinking of some way to examine the sender to see if it >>>>looked like it was a home computer running Windows XP as opposed to >>>>a server. >>> >>>to do this effectively on a machine in the UK would almost certainly >>>involve you in committing an offence under the Computer Misuse Act >>>1990 > > > > On top of the legal and moral issues, hitting ports 135 etc won't be all > that effective nowadays, as they'll probably be firewalled by XP for most > home users. > > That said, the idea of fingerprinting has been discussed here before, and > the friendly way to do it is passively, using p0f. I suspect that's the > question that Marc should be asking... though asking google first might give > the answer he wants! > > Cheers, > Alun. > > > -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
