Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Re: How do you configure p0f?

2010-03-16 by Adam Katz

Michael Mansour wrote:
>> I'm running the p0f software and it is seeing the OS of
>> connecting machines, but I'm hoping there's some help somewhere
>> which tells me how mgl uses this and whether there's some example
>> ACL's I could base rules on in greylist.conf?

Enrico Scholz responded:
> p0fsock "/var/run/p0frun/sock"
> 
> racl greylist p0f "Windows.*"   delay 90m autowhite 1d msg "Please
> come again later; mail from MS Windows based mailservers smells too
> much like spam"

I don't recommend that as it will block lots of legitimate MS Exchange
servers.  This is in my config (feel free to change the delay time):

# safe Windows hosts
racl whitelist p0f "Windows 2003"       addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2008"       addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2000 SP4"   addheader "X-Greylist-OS: %Fx"
racl greylist  p0f "Windows" \
                delay 20m autowhite 4d  addheader "X-Greylist-OS: %Fx"

That added header is picked up by SpamAssassin with this rule in local.cf:

header   KHOP_WIN_GREYED X-Greylist-OS =~ /Windows (?:XP|2000(?!
SP4)|Vista)/
describe KHOP_WIN_GREYED Sending server is a Windows desktop OS
score    KHOP_WIN_GREYED 0.2 0.2 0.5 0.5


Because I have whitelist lines, the whole collection is near the
bottom of the file.  Windows 2000 SP4 creates some false negatives,
but that's the direction I'd prefer to lean towards.  I don't think
I've had anything hit "Windows 2008" (or anything called "Vista") yet,
but I haven't been too attentive at looking for it either.

For anybody interested in the numbers, here's a quick look at my logs:

# zgrep -ho '(Windows .*->' greylist.log* |sed 's/^.//;s/)[^)]*$//'
|sort |uniq -c |sort -n

      1 Windows 95b
      1 Windows 98 (8)
      1 Windows 98 (low TTL) (2)
      1 Windows SP3
      1 Windows XP, 2000 SP2+
      4 Windows XP/2000 while downloading (leak!)
     14 Windows 98 (9)
     16 Windows 98 (15)
     20 Windows 98 (4)
     20 Windows 98 (no sack)
     23 Windows 98 (1)
     29 Windows 98 (6)
     32 Windows 2003 (2)
     42 Windows 98 (10)
     47 Windows XP SP1+, 2000 SP4 (3)
    103 Windows XP/2000 (RFC1323+, w, tstamp+)
    171 Windows XP SP1+, 2000 SP3 (2)
    233 Windows 2003 (1)
    259 Windows XP/2000 (RFC1323+, w, tstamp-)
    391 Windows XP/2000 (RFC1323+, w+, tstamp+)
    552 Windows 2000 SP4, XP SP1+ (2)
    837 Windows XP/2000
   1040 Windows XP SP1+, 2000 SP3
   1417 Windows XP/2000 (RFC1323+, w+, tstamp-)
   7193 Windows 2000 SP2+, XP SP1+ (seldom 98)
  26492 Windows 2000 SP4, XP SP1+

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.