https://strugglers.net/w/index.php?title=The_operating_systems_that_spam_you&feed=atom&action=historyThe operating systems that spam you - Revision history2024-03-29T13:18:39ZRevision history for this page on the wikiMediaWiki 1.23.5https://strugglers.net/w/index.php?title=The_operating_systems_that_spam_you&diff=1628&oldid=prevAndy at 08:26, 17 April 20062006-04-17T08:26:48Z<p></p>
<p><b>New page</b></p><div>Someone recently asked on the Sussex LUG list about whether most spam comes from malware-infected Windows machines or misconfigured Linux/UNIX mail servers.<br />
<br />
The question as posed is difficult to answer, but as it happens I have for the last 10 days or so been running [http://lcamtuf.coredump.cx/p0f.shtml p0f] against all port 25 connections to mail-in-01.lug.org.uk, the mail server that sits in front of all email addresses @lug.org.uk and @mailman.lug.org.uk.<br />
<br />
If you weren't aware, p0f is a passive operating system fingerprinting tool which makes an "educated guess" about the operating system at the other end of a [[Wikipedia:Transmission Control Protocol|TCP]] connection based on the characteristics of SYN packets sent. It's a bit like [[Wikipedia:nmap|nmap]]'s fingerprinting, but it's totally passive, i.e. it works on data the other side normally sends to you, without making any sort of probe itself.<br />
<br />
What all of this means is that I have a very good idea of the operating system of every machine that has tried to send an email to [http://lug.org.uk/ lug.org.uk] users in the last 10 days.<br />
<br />
I took a look at [[Wikipedia:exim|exim]]'s rejectlogs to pick out connections which were rejected after the DATA phase because the mail they tried to send scored 10.0 or more in [[Wikipedia:SpamAssassin|SpamAssassin]]. This is of course only a minority of the actual spamming attempts since most get rejected earlier and a lot still gets through as it scores less than 10.0. But it's the easiest category to identify from logs.<br />
<br />
I then took each of those log lines, parsed out the IP, discarded duplicate IPs and checked each against my p0f logs. After a bit of text munging the result is as follows:<br />
<br />
<pre><br />
Count Operating system guess<br />
------- ----------------------<br />
1011 Windows 2000 SP4, XP SP1<br />
806 Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)<br />
442 Windows XP Pro SP1, 2000 SP3<br />
235 UNKNOWN<br />
114 Windows 2000 SP4, XP SP 1<br />
107 Windows XP/2000 (RFC1323, w+, no tstamp)<br />
85 Windows XP/2000<br />
57 Windows XP, 2000 SP2+<br />
40 Windows 98 (15)<br />
32 Linux 2.5 (sometimes 2.4)<br />
26 Windows 98<br />
20 Windows XP SP1, 2000 SP3<br />
19 Windows 98 (10)<br />
16 Windows XP SP1, 2000 SP4<br />
13 Linux 2.4/2.6 <= 2.6.7<br />
12 Windows XP/2000 (RFC1323)<br />
10 Windows XP/2000 (RFC1323 no tstamp)<br />
4 Windows XP (RFC1323, w+)<br />
4 Windows 95<br />
3 Windows 98 (11)<br />
2 Windows SP3<br />
2 Windows 98 (low TTL)<br />
2 FreeBSD 4.7<br />
1 Windows 98 (13)<br />
1 Windows 98 (12)<br />
1 Solaris 8<br />
1 Solaris 2.5<br />
1 PocketPC 2002<br />
1 Novell NetWare 5.0<br />
1 Linux 2.4/2.6 <= 2.6.7 (ECN)<br />
1 Linux 2.4 (Google crawlbot)<br />
1 HP<br />
</pre><br />
<br />
i.e. 2782 Windows variants and 289 everything else. 90.6% of IPs which sent messages that SpamAssassin scored 10+ were associated with Windows hosts. Note that I did remove duplicate IPs though, and it is quite common for one spam source to connect multiple times.<br />
<br />
The full p0f log of IPs that were rejected due to scoring 10+ in SpamAssassin is available here:<br />
<br />
http://strugglers.net/~andy/spamming_buggers.txt (422KiB)</div>Andy