Mark Martinec wrote:
header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000
SP)/ score L_P0F_WXP 2.3
header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/
score L_P0F_W 1.0
[...]
Matt Kettler wrote:
Well, that much should be obvious.
Both rules are explicitly designed to NOT match that..
The big question is, why?
That is intentional. Some corporate sites use a Microsoft's mailer,
and it sometimes appears to p0f as 'Windows XP, 2000 SP' or similar.
There would be too many false positives to treat it the same as
versions of Windows XP that majority of users run at home, so
the rule tries to be selective on Windows XP only, erring on the
safe side.
The ?! is a forward look-ahead that prevents matching.
So, the first rule: /^Windows(?! XP)/
Will match anything that's windows that's not XP.
That second rule is excluding XP because plain Windows XP was
already covered by the first rule, and it would not be
appropriate to score it twice.
Yeah, that much made sense to me. I just wasn't sure why there was no
match at all for the combo one. The FP explanation makes sense. It was
obvious it was intentional, but the why was not.
However, I might suggest adding a comment to the .cf file, possibly even
a commented-out rule, explaining it's been disabled due to FPs on
Microsoft servers. That might avoid some FAQs.
Something like this :
# This rule sometimes matches windows server products, causing
# False positives against exchange and other windows-based mail servers.
# header L_P0F_WXP2KUNSURE X-Amavis-OS-Fingerprint =~ /^Windows
XP[^(]*\b2000 SP/
# score L_P0F_WXP2KUNSURE 0.01
# describe L_P0F_WXP2KUNSURE Could be Win XP or 2k possibly a server.
might be nice. That way folks who want it can use it, but it should be
clear to them it can cause FP problems.
