I have policyd set up to blacklist any IP that attempts to send mail to any of my “spamtrap” addresses (I have almost 30 e-mail addresses that regularly receive spam, but aren’t used by a single human, so instead of just bouncing the mail as undeliverable, I let them send the mail, blacklist their IP, and then refuse it.) Entries last for 14 days in the database, so that people aren’t penalized for months-old violations. (I actually think 14 days might be too long, but I’m in no rush to lower it.)
I set up a page that lists the 100 most-recently blacklisted IPs and also uses GeoIP to try to determine their country.
But then I got another neat idea. I’d heard about p0f a few times before, but never played around with it. In essence, it’s able to look at a TCP session and (most of the time) determine the OS in use, via passive fingerprinting. Unlike nmap, it doesn’t go out and try a thousand different probes. Just by examining the structure of the packets, it’s able to make its guess.
So I set it up to listen on the server’s NIC, and log its OS guess for incoming connections. And now my list of recently-blacklisted spam IPs shows the OS they were identified as having.
What’s interesting to me is that most of them run old versions of Windows: “Windows 2000 SP4, XP SP1” is especially common. And I have a hunch for why: it seems that botnets are seeing increased use for sending spam. That is, most of the spam I’m receiving is being delivered via old, unpatched Windows machines that have been infected with a virus, which spammers use to pump out spam. (Hence Spamhaus’ PBL, a blacklist of IPs that should be peoples’ home IPs, not mailservers.)
I also set up a p0f script to show you what p0f shows for you, when you connect to that page. It also prints out the various headers your browser sends, so that you can see just what websites can see.
All of this reminded me of OpenBSD’s pf firewall, and its scrub options, to try to “clean up” packets. Thus I show up as:
Windows XP/2000 (RFC1323, w+, no tstamp) [GENERIC] Signature: [8192:115:1:52:M1460,N,W2,N,N,S:.:Windows:?] -> 188.8.131.52:80 (distance 13, link: ethernet/modem)
This is actually still fairly accurate, but I’m actually using Vista. OpenBSD seems to be stripping some of the data out, though, keeping p0f from showing too much.