On Mon, 10 Sep 2012 09:26:23 -0400 (EDT), Wietse Venema <[email protected]> wrote: > Tomoyuki Murakami: >> Developers, >> >> There are some sort of Passive OS Fingerprinting implements, >> pof v3 (http://lcamtuf.coredump.cx/p0f3/) is one of that, and >> do light-weight, very quick response in my environment. >> I don't know the detail history of this app, there is >> a simple API for utilize information of the other-end OSes. > > First, I am pleased to read code that is well written. Thank you. you're welcome. thank you for reply.
> Fundamental critique: > > - There are many legitimate MTAs running on Microsoft systems, > including MTAs from vendors other than Microsoft. It would be a > mistake to veto connections because a site runs a Microsoft OS. > Postscreen is the wrong place to use methods that suffer from a > non-negligible false positive rate. I generally agree with, but it's efficiency is worth consideration in my litte bit wild, spam-hating environment. It might not be an everyone's solution. > - Instead of fingerprinting the client TCP/IP stack, it would be > more appropriate to fingerprint the client SMTP stack. This is on > the TODO list with p0f which relies on passive observation. Sofar, > my own experiences with SMTP stack fingerprinting have been unrewarding > except for PREGREET detection (and that can't be done with passive > observation). There is a USENIX Security 2012 paper with examples > of active fingerprinting that send malformed SMTP responses to > distinguish between legitimate and spambot SMTP stacks (Gianluca > Stringhini et al. B@bel: Leveraging Email Delivery for Spam Mitigation). thank you for reference pointer. I will watch later. Thank you, --- Tomo.
pgpH4qd5KNU0O.pgp
Description: PGP signature
