Milter-greylist

manu@... wrote:
 > Patrick Domack <patrickdk@...> wrote:
 > 
 > > well, since we now have support for everything else (dnsbl, spf,  
 > > dkim), why not add p0f support (os fingerprinting) to selectively  
 > > greylist against.
 > 
 > Heavily greylisting windows XP boxen could be a major benefit.

The important question is:  How reliable is it?  How likely
is it to get false positives?  It should be pointed out
that tools like nmap (and similar) just take a good guess,
but are often wrong.  For example, it doesn't detect one of
my backup MX machines correctly.

Also note that some server admins intentionally change the
parameters of their TCP/IP stack so fingerprinting does not
guess their OS correctly (just like many admins change the
welcome message of their MTA so it confuses potential
attackers).

I don't want to put a huge greylist delay on machines based
on their OS if the OS detection isn't 100% reliable.

And I *certainly* don't want my own MTAs greylisted for a
long time just because some other braindead server is unable
to detect my OS correctly.  :-(

That's why I feel a little uneasy adding such a "feature"
to milter-greylist.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758,  Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"The ITU has offered the IETF formal alignment with its
corresponding technology, Penguins, but that won't fly."
        -- RFC 2549