On Jun 19, 2006, at 5:44 AM, Ian Eiloart wrote:
--On 19 June 2006 10:23:38 +0100 Ian Eiloart <[EMAIL PROTECTED]> wrote:<http://blog.insidesystems.net/articles/2006/06/06/OS- Fingerprinting-Email>--On 17 June 2006 19:18:14 -0400 Kelley Reynolds <[EMAIL PROTECTED]> wrote:For those of you interested, I've outlined a method for OSFingerprinting E-mail using FreeBSD and PF .. the details can be foundat http://blog.insidesystems.net/articles/2006/06/06/OS-Fingerprinting- EmailEr, that's:
Oo .. sorry about that. It wrapped in my MUA and I didn't catch it. Thanks for the correction.
And, it isn't terribly exciting. The most important fact here is that you can't obtain a fingerprint for 70% of incoming mail, and most of the rest identifies as from AIX hosts.
Ack .. normally the article gets at least a "good use of glue" comment even if the information isn't something an Email Administrator cares about. One thing to explain about the "Unknown" fingerprints is that there were 4 MXs storing to that database and only one was fingerprinting. At the time, we didn't store which MX the mail went through so we couldn't filter on it so I left the data in. Clearly a mistake if that's a focal point .. maybe I'll revisit this topic in a future article and see if I can't get some results more useful.
Oh, yes Contiki is an operating system <http://www.sics.se/~adam/ contiki/>
Obviously Contiki is an operating system, that was intended as comic relief .. apparently not funny.
One question that the article looks at is whether much of our spam comes from "networks of infected zombie Windows machines" but, it doesn't seem to look at the question of whether the OS identified is that of the originating host, or some ISP router or NAT host. I don't know enough about routing to make a guess about that.
All true. The main thing I was concerned about for this *proof of concept* was whether or not the information would be useful. As pointed out in the article, if something is statistically valid, it doesn't really matter what the information is so long as it's consistent. For example, if the AOL fingerprint and the OS/400 fingerprint are always entirely wrong, it doesn't matter as long as they are consistent and they send spam 97% of the time.
To answer your other question, if you wanted to determine originating host IP, you'd have to do more work, but it's still largely possible (unless completely NATed, but that's not my specialty). Determine from headers if the mail is from the originating host and if so, done. If not, get the IP of the originating host and actively fingerprint it. Of course, that'll eat your resources alive, but it could be done offline and stored or done after the fact, etc, etc.
Thanks again for correcting the URL. Kelley Reynolds President Inside Systems, Inc.
PGP.sig
Description: This is a digitally signed message part
-- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
