Détection des spams par prise d’empreinte des paquets TCP

Posted on May 6, 2009 by blog

Après la panoplie amavis, bogofilter, spamassassin….. p0f

p0f permet de déterminer (avec une assez bonne précision) l’OS d’une machine distante et ce de manière passive (pas à la manière de NMAP).

Comment lancer p0f pour analyser les paquets à destination du port 25 et ne faisant pas partie du lan/vpn/…. ?

p0ffilter=”( not src 127.0.0.1 and not src net 192.168.0.0/16″

for oneip in `/sbin/ifconfig 2>/dev/null | grep -v 127.0.0.1 | grep ‘inet adr’ | sed -e ‘s/.*adr://’ -e ‘s/ .*//’`; do
p0ffilter=”$p0ffilter and not src host $oneip”
done

p0ffilter=”$p0ffilter ) and tcp dst port 25″

killall p0f
killall p0f-analyzer

nohup /usr/sbin/p0f -i any -l “$p0ffilter” 2>&1 | nohup /usr/sbin/p0f-analyzer 2345 >/dev/null &

Ce script (assez sale il est vrai) permet de lancer p0f.

Une fois p0f lancé il est possible d’interroger p0f-analyzer en UDP sur le port 2345

Il faut ensuite modifier /etc/amavis/conf.d/50-user
on ajoutera:
$os_fingerprint_method = ‘p0f:127.0.0.1:2345′;

on relance ensuite amavis (/etc/init.d/amavisd restart)

Il faut ensuite créer /etc/spamassassin/p0f.cf contenant:

header P0F_WIN311 X-p0f-OS =~ /^Windows 3.11/
score P0F_WIN311 3.0
describe P0F_WIN311 Client is running Windows 3.11

header P0F_WIN95 X-p0f-OS =~ /^Windows 95/
score P0F_WIN95 3.0
describe P0F_WIN95 Client is running Windows 95

header P0F_WIN98 X-p0f-OS =~ /^Windows 98/
score P0F_WIN98 3.0
describe P0F_WIN98 Client is running Windows 98

header P0F_WINME X-p0f-OS =~ /^Windows ME/
score P0F_WINME 3.0
describe P0F_WINME Client is running Windows ME

header P0F_WINNT X-p0f-OS =~ /^Windows NT/
score P0F_WINNT 0.5
describe P0F_WINNT Client is running Windows NT

header P0F_WIN2K X-p0f-OS =~ /^Windows 2000(?!.*XP)/
score P0F_WIN2K 1.5
describe P0F_WIN2K Client is running Windows 2000

header P0F_WINXP X-p0f-OS =~ /^Windows XP(?!.*2000)/
score P0F_WINXP 2.5
describe P0F_WINXP Client is running Windows XP

header P0F_WINXP2K X-p0f-OS =~ /^Windows (XP.+2000|2000.+XP)/
score P0F_WINXP2K 1.5
describe P0F_WINXP2K Client is running Windows 2000 or XP

header P0F_WIN2K3 X-p0f-OS =~ /^Windows 2003/
score P0F_WIN2K3 0.2
describe P0F_WIN2K3 Client is running Windows 2003

header P0F_WINNET X-p0f-OS =~ /^Windows \.NET/
score P0F_WINNET 0.2
describe P0F_WINNET Client is running Windows .NET Enterprise Server

header P0F_WINCE X-p0f-OS =~ /^Windows CE/
score P0F_WINCE 0.1
describe P0F_WINCE Client is running Windows CE

header P0F_WINVISTA X-p0f-OS =~ /^Windows Vista/
score P0F_WINVISTA 2.5
describe P0F_WINVISTA Client is running Windows Vista

header P0F_MACOS X-p0f-OS =~ /^MacOS/
score P0F_MACOS 0.1
describe P0F_MACOS Client is running Mac OS

header P0F_FREEBSD X-p0f-OS =~ /^FreeBSD/
score P0F_FREEBSD -0.1
describe P0F_FREEBSD Client is running FreeBSD

header P0F_OPENBSD X-p0f-OS =~ /^OpenBSD/
score P0F_OPENBSD -1.0
describe P0F_OPENBSD Client is running OpenBSD

header P0F_NETBSD X-p0f-OS =~ /^NetBSD/
score P0F_NETBSD -1.0
describe P0F_NETBSD Client is running NetBSD

header P0F_SOLARIS X-p0f-OS =~ /^Solaris/
score P0F_SOLARIS -1.0
describe P0F_SOLARIS Client is running Solaris

header P0F_HPUX X-p0f-OS =~ /^HP-UX/
score P0F_HPUX -1.0
describe P0F_HPUX Client is running HP-UX

header P0F_TRU64 X-p0f-OS =~ /^Tru64/
score P0F_TRU64 -1.0
describe P0F_TRU64 Client is running Tru64

header P0F_AIX X-p0f-OS =~ /^AIX/
score P0F_AIX -1.0
describe P0F_AIX Client is running AIX

header P0F_LINUX X-p0f-OS =~ /^Linux/
score P0F_LINUX -0.5
describe P0F_LINUX Client is running Linux

header P0F_SUNOS X-p0f-OS =~ /^SunOS/
score P0F_SUNOS -1.0
describe P0F_SUNOS Client is running SunOS

header P0F_IRIX X-p0f-OS =~ /^IRIX/
score P0F_IRIX -1.0
describe P0F_IRIX Client is running IRIX

header P0F_OPENVMS X-p0f-OS =~ /^OpenVMS/
score P0F_OPENVMS -1.0
describe P0F_OPENVMS Client is running OpenVMS

header P0F_RISCOS X-p0f-OS =~ /^RISC OS/
score P0F_RISCOS -1.0
describe P0F_RISCOS Client is running RISC OS

header P0F_BSD X-p0f-OS =~ /^BSD/
score P0F_BSD -1.0
describe P0F_BSD Client is running BSD/OS

header P0F_NEWTON X-p0f-OS =~ /^NewtonOS/
score P0F_NEWTON 0.1
describe P0F_NEWTON Client is running NewtonOS

header P0F_NEXT X-p0f-OS =~ /^NeXTSTEP/
score P0F_NEXT -1.0
describe P0F_NEXT Client is running NeXTSTEP

header P0F_BEOS X-p0f-OS =~ /^BeOS/
score P0F_BEOS -1.0
describe P0F_BEOS Client is running BeOS

header P0F_OS400 X-p0f-OS =~ /^OS\/400/
score P0F_OS400 -1.0
describe P0F_OS400 Client is running OS/400

header P0F_ULTRIX X-p0f-OS =~ /^ULTRIX/
score P0F_ULTRIX -1.0
describe P0F_ULTRIX Client is running ULTRIX

header P0F_QNX X-p0f-OS =~ /^QNX/
score P0F_QNX -1.0
describe P0F_QNX Client is running QNX

header P0F_NETWARE X-p0f-OS =~ /^Novell NetWare/
score P0F_NETWARE 2.0
describe P0F_NETWARE Client is running NetWare

header P0F_INTRANETWARE X-p0f-OS =~ /^Novell IntranetWare/
score P0F_INTRANETWARE 2.0
describe P0F_INTRANETWARE Client is running IntranetWare

header P0F_BORDERMGR X-p0f-OS =~ /^Novell BorderManager/
score P0F_BORDERMGR 2.0
describe P0F_BORDERMGR Client is running BorderManager

header P0F_SCO X-p0f-OS =~ /^SCO/
score P0F_SCO -1.0
describe P0F_SCO Client is running SCO

header P0F_DOS X-p0f-OS =~ /^DOS/
score P0F_DOS 3.0
describe P0F_DOS Client is running DOS

header P0F_OS2 X-p0f-OS =~ /^OS\/2/
score P0F_OS2 2.0
describe P0F_OS2 Client is running OS/2

header P0F_TOPS20 X-p0f-OS =~ /^TOPS-20/
score P0F_TOPS20 -1.0
describe P0F_TOPS20 Client is running TOPS-20

header P0F_AMIGA X-p0f-OS =~ /^AMIGA/
score P0F_AMIGA 1.0
describe P0F_AMIGA Client is running AMIGAOS

header P0F_MINIX X-p0f-OS =~ /Minix/
score P0F_MINIX -1.0
describe P0F_MINIX Client is running Minix

header P0F_PLAN9 X-p0f-OS =~ /^Plan9/
score P0F_PLAN9 -1.0
describe P0F_PLAN9 Client is running Plan9

header P0F_FREEMINT X-p0f-OS =~ /^FreeMiNT/
score P0F_FREEMINT 1.0
describe P0F_FREEMINT Client is running FreeMiNT

header P0F_NETCACHE X-p0f-OS =~ /^NetCache/
score P0F_NETCACHE -0.1
describe P0F_NETCACHE Client is running NetCache

header P0F_CACHEFLOW X-p0f-OS =~ /^CacheFlow/
score P0F_CACHEFLOW -0.1
describe P0F_CACHEFLOW Client is running CacheFlow

header P0F_POWERAPP X-p0f-OS =~ /^Dell PowerApp/
score P0F_POWERAPP -0.1
describe P0F_POWERAPP Client is running PowerApp

header P0F_PALMOS X-p0f-OS =~ /^PalmOS/
score P0F_PALMOS 0.1
describe P0F_PALMOS Client is running PalmOS

header P0F_SYMBIANOS X-p0f-OS =~ /^SymbianOS/
score P0F_SYMBIANOS 0.1
describe P0F_SYMBIANOS Client is running SymbianOS

header P0F_ZAURUS X-p0f-OS =~ /^Zaurus/
score P0F_ZAURUS 0.1
describe P0F_ZAURUS Client is running Zaurus

header P0F_POCKETPC X-p0f-OS =~ /^PocketPC/
score P0F_POCKETPC 0.1
describe P0F_POCKETPC Client is running PocketPC

header P0F_CONTIKI X-p0f-OS =~ /^Contiki/
score P0F_CONTIKI 0.1
describe P0F_CONTIKI Client is running Contiki

header P0F_PLAYSTATION X-p0f-OS =~ /^Sony Playstation/
score P0F_PLAYSTATION 3.0
describe P0F_PLAYSTATION Client is running Sony Playstation

header P0F_DREAMCAST X-p0f-OS =~ /^Sega Dreamcast/
score P0F_DREAMCAST 3.0
describe P0F_DREAMCAST Client is running Sega Dreamcast

header P0F_UNKNOWN X-p0f-OS =~ /^UNKNOWN/
score P0F_UNKNOWN 0.8
describe P0F_UNKNOWN Client OS is unknown

redémarrons spamassassin (/etc/init.d/spamassassin restart)

Si tout va bien l’entete X-Amavis-OS-Fingerprint: apparait dans les mails.

Spamassassin peut donc “scorer” les mails en fonction de cet entete.

! Attention ! Il faut une version >= 2.4.3 de amavisd

This entry was posted in Anti Spam, Anti Virus, Debian, Mail, Postfix, Tips, Uncategorized. Bookmark the permalink.

Comments are closed.