Tomoyuki Murakami:
> Developers,
>
> There are some sort of Passive OS Fingerprinting implements,
> pof v3 (http://lcamtuf.coredump.cx/p0f3/) is one of that, and
> do light-weight, very quick response in my environment.
> I don't know the detail history of this app, there is
> a simple API for utilize information of the other-end OSes.
First, I am pleased to read code that is well written. Thank you.
> Many experiences that possible bot machines running 'Doze OS
> and if we can identify that, we could reduce cost of checking
> DNSBLs, etc.
>
> I know that Microsoft themselves running such OS in their
> service environment, we should be careful about the result
> of p0f's and we might fine tune fingerprints for a while.
Fundamental critique:
- There are many legitimate MTAs running on Microsoft systems,
including MTAs from vendors other than Microsoft. It would be a
mistake to veto connections because a site runs a Microsoft OS.
Postscreen is the wrong place to use methods that suffer from a
non-negligible false positive rate.
- Instead of fingerprinting the client TCP/IP stack, it would be
more appropriate to fingerprint the client SMTP stack. This is on
the TODO list with p0f which relies on passive observation. Sofar,
my own experiences with SMTP stack fingerprinting have been unrewarding
except for PREGREET detection (and that can't be done with passive
observation). There is a USENIX Security 2012 paper with examples
of active fingerprinting that send malformed SMTP responses to
distinguish between legitimate and spambot SMTP stacks (Gianluca
Stringhini et al. B@bel: Leveraging Email Delivery for Spam Mitigation).
Implementation critique:
- Postscreen blocks until the p0f server replies. That violates
postscreen design which avoids blocking. When the p0f daemon becomes
unresponsive for whatever reason, that should not cripple postscreen.
There is no such problem with postscreen DNSBL lookups.
- The blocking queries are also a problem because you query the p0f
daemon on every connection, unconditionally, even for clients that
are permanently black- or whitelisted, or that exist in the temporary
whitelist cache.
Wietse
