The operating systems that spam you

Someone recently asked on the Sussex LUG list about whether most spam comes from malware-infected Windows machines or misconfigured Linux/unix mail servers.

The question as posed is difficult to answer, but as it happens I have for the last 10 days or so been running p0f against all port 25 connections to, the mail server that sits in front of all email addresses and

If you weren’t aware, p0f is a passive operating system fingerprinting tool which makes an “educated guess” about the operating system at the other end of a TCP connection based on the characteristics of SYN packets sent. It’s a bit like nmap‘s fingerprinting, but it’s totally passive, i.e. it works on data the other side normally sends to you, without making any sort of probe itself.

What all of this means is that I have a very good idea of the operating system of every machine that has tried to send an email to users in the last 10 days.

The rest of this article can be read over on the wiki, but the executive summary is: during the ~10 day period of monitoring, over 90% of unique IPs sending mails that scored 10.0+ in SpamAssassin were associated with hosts running Windows.