W B Hacker wrote: >> BTW, if a win-zombie is behind a NAT in a DSL-modem (with embedded >> Linux inside), what p0f shows?
I meant to reply to this, but I forgot. p0f should still detect Windows in that case for most NAT devices, except for odd cases where those NAT devices some how mangle the packets they're forwarding http://www.stearns.org/p0f/README "Bypassing a firewall - p0f can "see thru" most NAT devices, packet firewalls, etc." > The default will (usually) detect the NAT'ing - and display it, even tries to > tell if it is in ITE (ex: ethernet modem) or separate (just'NAT') along with > hop-count as 'distance': > > (all ports...) > > 93.80.234.42:3378 - Windows 2000 SP4, XP SP1+ > -> 203.194.153.81:25 (distance 21, link: (Google/AOL)) > 123.239.24.34:2574 - Windows 2000 SP2+, XP SP1+ (seldom 98) > -> 203.194.153.81:25 (distance 16, link: ethernet/modem) > > More than good enough for my needs, though I am still puzzled that it fails > to > detect all connections. It doesn't provide results for me for around 8% of the connections. I'm not sure if that's because it doesn't detect the connection, or if it simply doesn't have a matching signature: Connections: 6716 FreeBSD: accept:5, reject:9 Linux: accept:318, reject:139 MacOS: accept:2, reject:19 NetBSD: reject:2 Novell: reject:1 Solaris: accept:36, reject:147 Unknown: accept:475, reject:107 Windows: accept:30, reject:5426 There doesn't seem to be a strong correlation between the OS and the spamminess of the message, apart from when Windows is the connecting OS. Only 1 in 180 emails from a Windows host was accepted by my email system. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/) -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
