Mark Martinec wrote:
> The most interesting part in my view is not the IP distance, but the
> type of OS, illustrated by the following table (derived from the same
> data as fig2):
>
> p0f OS guess ham : spam
> -----------------------------
> Windows-XP 0.7 % : 99.3 %
> Windows-2000 5.8 % : 94.2 %
> UNKNOWN 16.5 % : 83.5 %
> Linux 58.8 % : 41.2 %
> Unix 80.3 % : 19.7 %
> (Unix+Linux 66.5 % : 33.5 %)
>
> Only 0.7% of all mail coming from Windows-XP hosts is ham!!!
> It is an ideal information to contribute two or three score points.
I'm not sure the ham hit rate from the Windows-XP category scales (to
other installations) very well. The last time I looked into using p0f
to fingerprint connecting hosts, last spring, I seem to recall that
Windows XP and Windows 2003 share the same TCP/IP stack and fingerprint
identically.
While it'd be nice to be score "Windows-XP" hosts harshly, there's a lot
of mail coming from Windows Server 2003 hosts that would get hit.
I know for some of my systems 1:99 would be really low if Windows Server
2003 and XP are identified the same. 40:60 (and in some cases 80:20)
would be closer to what I often see if I were to assume that all spam
came from Windows XP hosts.
Maybe you don't receive much, if any, mail from Windows Server 2003 hosts?
Daryl
|