The operating systems that spam you

From Strugglers
Jump to: navigation, search

Someone recently asked on the Sussex LUG list about whether most spam comes from malware-infected Windows machines or misconfigured Linux/UNIX mail servers.

The question as posed is difficult to answer, but as it happens I have for the last 10 days or so been running p0f against all port 25 connections to, the mail server that sits in front of all email addresses and

If you weren't aware, p0f is a passive operating system fingerprinting tool which makes an "educated guess" about the operating system at the other end of a TCP connection based on the characteristics of SYN packets sent. It's a bit like nmap's fingerprinting, but it's totally passive, i.e. it works on data the other side normally sends to you, without making any sort of probe itself.

What all of this means is that I have a very good idea of the operating system of every machine that has tried to send an email to users in the last 10 days.

I took a look at exim's rejectlogs to pick out connections which were rejected after the DATA phase because the mail they tried to send scored 10.0 or more in SpamAssassin. This is of course only a minority of the actual spamming attempts since most get rejected earlier and a lot still gets through as it scores less than 10.0. But it's the easiest category to identify from logs.

I then took each of those log lines, parsed out the IP, discarded duplicate IPs and checked each against my p0f logs. After a bit of text munging the result is as follows:

  Count  Operating system guess
-------  ----------------------
   1011  Windows 2000 SP4, XP SP1
    806  Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222)
    442  Windows XP Pro SP1, 2000 SP3
    235  UNKNOWN
    114  Windows 2000 SP4, XP SP 1
    107  Windows XP/2000 (RFC1323, w+, no tstamp)
     85  Windows XP/2000
     57  Windows XP, 2000 SP2+
     40  Windows 98 (15)
     32  Linux 2.5 (sometimes 2.4)
     26  Windows 98
     20  Windows XP SP1, 2000 SP3
     19  Windows 98 (10)
     16  Windows XP SP1, 2000 SP4
     13  Linux 2.4/2.6 <= 2.6.7
     12  Windows XP/2000 (RFC1323)
     10  Windows XP/2000 (RFC1323 no tstamp)
      4  Windows XP (RFC1323, w+)
      4  Windows 95
      3  Windows 98 (11)
      2  Windows SP3
      2  Windows 98 (low TTL)
      2  FreeBSD 4.7
      1  Windows 98 (13)
      1  Windows 98 (12)
      1  Solaris 8
      1  Solaris 2.5
      1  PocketPC 2002
      1  Novell NetWare 5.0
      1  Linux 2.4/2.6 <= 2.6.7 (ECN)
      1  Linux 2.4 (Google crawlbot)
      1  HP

i.e. 2782 Windows variants and 289 everything else. 90.6% of IPs which sent messages that SpamAssassin scored 10+ were associated with Windows hosts. Note that I did remove duplicate IPs though, and it is quite common for one spam source to connect multiple times.

The full p0f log of IPs that were rejected due to scoring 10+ in SpamAssassin is available here: (422KiB)