This is a collection of suggestions compiled from my (Adam Katz) production experiences. It is very important to ensure that modern Windows Server systems are not lumped into the same lot with Windows Desktop systems. Unfortunately, due to p0f's limited (and/or dated) metrics, this requires letting most Windows systems through (there are still many legitimate Windows 2000 servers, and p0f can't identify win2k home/pro vs servers … or anything new like Vista, 2003, 2008, or 7). At least with the version running on my production site right now, p0f doesn't play well with regular expressions, so the rules presented here use three whitelist entries before the real action begins. The stat lines are only needed if you want to crunch stats like those pasted below.
Note that the SpamAssassin rule below it is able to accomplish the same thing with just one PCRE. If you were referred to this page as an example of how to safely implement p0f and all you want is the regular expression, take it from the SpamAssassin rule.
p0fsock "/var/run/p0frun/sock"
# Log milter-greylist activity to a file, including OS
stat ">>/var/log/greylist.log" \
"%T{%Y/%m/%d %T} %d [%i] (%Fx) %r -> %f %S (ACL %A) %Xc %Xe %Xm %Xh\n"
# safe Windows hosts
racl whitelist p0f "Windows 2003" addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2008" addheader "X-Greylist-OS: %Fx"
racl whitelist p0f "Windows 2000 SP4" addheader "X-Greylist-OS: %Fx"
# unsafe Windows hosts -- put this line below ALL racl whitelist lines
racl greylist p0f "Windows" \
delay 20m autowhite 4d addheader "X-Greylist-OS: %Fx"
The addheader portion allows this to be picked up by SpamAssassin with this rule in local.cf:
header KHOP_WIN_GREYED X-Greylist-OS =~ /Windows (?:XP|2000(?! SP4)|Vista)/
describe KHOP_WIN_GREYED Sending server runs a Windows desktop OS
score KHOP_WIN_GREYED 0.2 0.2 0.5 0.5
For anybody interested in the numbers, here's a quick look at my logs (requires the stat lines above):
# zgrep . greylist.log* |sed -r '/[^\(]*\((.*->).*$/!d; s//\1/; s/\)[^\)]*$//; s/^\s*$/unknown/' |sort |uniq -c |sort -n
1 FreeBSD 5.3-5.4
1 Redline T|X 2200
1 Solaris 2.5-7 (2)
1 Windows 95
1 Windows 98 (7)
1 Windows SP3
1 Windows XP/2000 while downloading (leak!)
2 FreeBSD 5.1 (2)
2 Google Wireless Transcoder (2)
2 Linux 2.2 (2)
2 Linux 2.4 (Google crawlbot)
2 Linux 2.4 in cluster
2 Linux 2.6 (tstamp-)
2 Windows 98 (low TTL) (2)
3 FreeBSD 6.x (2)
3 Linux 2.6 (newer, 4)
3 OpenBSD 3.0-3.9
3 Windows 98 (15)
3 Windows NT 4.0 (older)
4 NetBSD 1.3
5 Solaris 9
5 Solaris 9.1
6 Novell Netware 6 SP3
6 Windows 98 (8)
6 Windows XP w/Sygate? (1)
8 Windows 95b
9 FreeBSD 4.7-5.2 (or MacOS X 10.2-10.4) (1)
9 Linux 2.6, seldom 2.4 (older, 2)
12 NetBSD 1.6W-current (DF)
12 Windows 98
13 FreeBSD 2.0-4.2
13 Novell NetWare 5.0
14 Windows 98 (no sack)
15 CacheFlow CacheOS 4.1
16 FreeBSD 4.4 (1)
21 Windows XP, 2000 SP2+
35 Solaris 10 (1203?)
39 Solaris 8 (1)
45 Windows 98 (4)
50 Windows 98 (1)
63 Windows 2003 (2)
74 Windows 98 (6)
98 FreeBSD 6.x (1)
98 Windows XP SP1+, 2000 SP4 (3)
132 Linux 2.6 (newer, 1)
140 Linux 2.4 (tstamp-)
158 Linux 2.6? (barebone, rare!)
208 Solaris 10 (beta)
243 Windows XP/2000 (RFC1323+, w, tstamp+)
256 FreeBSD 4.7-5.2 (or MacOS X 10.2-10.4) (2)
281 Windows 98 (10)
508 Windows 2003 (1)
534 Windows 98 (9)
556 Windows 2000 SP4, XP SP1+ (2)
595 Windows XP/2000 (RFC1323+, w, tstamp-)
616 Linux 2.6, seldom 2.4 (older, 4)
632 Windows XP SP1+, 2000 SP3 (2)
999 Linux 2.4-2.6
1107 Windows XP/2000 (RFC1323+, w+, tstamp+)
1202 FreeBSD 4.6-4.9
1226 Linux 2.6 (newer, 2)
1416 Windows XP/2000
1604 Windows XP SP1+, 2000 SP3
2970 Windows XP/2000 (RFC1323+, w+, tstamp-)
6803 Linux 2.6 (newer, 3)
14954 Windows 2000 SP2+, XP SP1+ (seldom 98)
25729 unknown
51320 Windows 2000 SP4, XP SP1+
