--On 19 June 2006 08:44:29 -0400 Kelley Reynolds <[EMAIL PROTECTED]> wrote:
> On Jun 19, 2006, at 5:44 AM, Ian Eiloart wrote: > >> >> >> --On 19 June 2006 10:23:38 +0100 Ian Eiloart <[EMAIL PROTECTED]> >> wrote: >> >>> >>> >>> --On 17 June 2006 19:18:14 -0400 Kelley Reynolds >>> <[EMAIL PROTECTED]> wrote: >>> >>>> For those of you interested, I've outlined a method for OS >>>> Fingerprinting E-mail using FreeBSD and PF .. the details can be >>>> found >>>> at >>>> >>>> http://blog.insidesystems.net/articles/2006/06/06/OS-Fingerprinting- >>>> Email >>>> >>> >>> Er, that's: >>> >> <http://blog.insidesystems.net/articles/2006/06/06/OS- >> Fingerprinting-Email> > > Oo .. sorry about that. It wrapped in my MUA and I didn't catch it. > Thanks for the correction. > >> And, it isn't terribly exciting. The most important fact here is >> that you can't obtain a fingerprint for 70% of incoming mail, and >> most of the rest identifies as from AIX hosts. > > Ack .. normally the article gets at least a "good use of glue" comment > even if the information isn't something an Email Administrator cares > about. One thing to explain about the "Unknown" fingerprints is that > there were 4 MXs storing to that database and only one was > fingerprinting. At the time, we didn't store which MX the mail went > through so we couldn't filter on it so I left the data in. Clearly a > mistake if that's a focal point .. maybe I'll revisit this topic in a > future article and see if I can't get some results more useful. OK, so does that suggest that you actually get a fingerprint every time? Then the technique might be more useful. I'm still worried by the fact that 70-80% of the fingerprints say "AIX". >> Oh, yes Contiki is an operating system <http://www.sics.se/~adam/ >> contiki/> > > Obviously Contiki is an operating system, that was intended as comic > relief .. apparently not funny. > >> One question that the article looks at is whether much of our spam >> comes from "networks of infected zombie Windows machines" but, it >> doesn't seem to look at the question of whether the OS identified >> is that of the originating host, or some ISP router or NAT host. I >> don't know enough about routing to make a guess about that. > > All true. The main thing I was concerned about for this *proof of > concept* was whether or not the information would be useful. As pointed > out in the article, if something is statistically valid, it doesn't > really matter what the information is so long as it's consistent. For > example, if the AOL fingerprint and the OS/400 fingerprint are always > entirely wrong, it doesn't matter as long as they are consistent and > they send spam 97% of the time. > > To answer your other question, if you wanted to determine originating > host IP, you'd have to do more work, but it's still largely possible > (unless completely NATed, but that's not my specialty). Determine from > headers if the mail is from the originating host and if so, done. If > not, get the IP of the originating host and actively fingerprint it. Of > course, that'll eat your resources alive, but it could be done offline > and stored or done after the fact, etc, etc. > > Thanks again for correcting the URL. > > Kelley Reynolds > President > Inside Systems, Inc. > > -- Ian Eiloart IT Services, University of Sussex -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
