[Dshield] 0wnlng Windows machines

Tony Earnshaw tonni at hetnet.nl
Sat Feb 24 10:10:16 GMT 2007

Hi list,

I'm the mailadmin of a low-volume high school site in Amsterdam NL, we 
run a Postfix 2.3 MTA with lots of knobs to twiddle.

One of the things I do is twiddle the knobs; as I've written before, we 
block a lot of stuff before we accept it. We don't block it at the 
perimeter, we let the MTA block it, mostly using cidr subnet blocks, but 
also using rules detailed in rfc[2]821 and greylisting, as well as as a 
last resort 4 DNSRBL sites. Postfix also makes it possible to see each 
refused connection, together with the smtp conversation that takes place 
and why we refuse clients. I make full use of that possibility.

We also run a utility called p0f with which I analyze the operating 
system of each client connecting to port 25 on our MTA. For instance, it 
tells me that iceman12-int.giac.net is running Linux 2.4-2.6 and was up 
for 3413 hours on Feb 24 at 01:47:28 CET.

I produce pretty bar graphs with it, and these will be available for a 
couple of days at https://mail.barlaeus.nl/p0f. Normally they're 
excluded from unrestricted Internet access.

One of the things I've found out over the past few months, is that 
around 98% of all the clients we block are Windows machines; which 
variants you can see from the graphs. It's patently obvious that most 
0wn3d machines are w2k with patch 4/XP with patch 1 and very few are 
W2003. Now assuming the w2k and XP users have been savvy enough to patch 
their W2k/XP machines, can anyone tell me the most obvious reasons that 
they're getting 0wn3d? Presumably the users intelligent enough to patch 
are also savvy enough not to click on things they're told not to, to 
enable stupid p2p, to visit nasty web sites and so on. Or are they? And 
why are there (proportionally) so few w2003 machines refused?

One of the reasons I ask, apart from curiosity, is noting how new 
spammer software patterns develop, how much spammer keeps to the same 
old stupid configuration and similar.



PS: All of our site's 100 or so Windows XP workstations (which I don't 
configure, thank goodness) get their Internet stuff over a Smoothwall 
blocking proxy, all are forced to SASL authenticate to our MTA alone for 
sending, their mail (when it comes in) has gone through 3 AV scanners 
and a hyper-good spam filter, and they run Sophos SAV regularly on their 
ghost-imaged HDs. Their profiles and other Windows stuff is kept on a 
Linux Samba 2.0.22 NT PDC (which I do configure) on which Sophos Sweep 
runs regularly, so they're kept from sinning; if they were to, 
reformatting and imaging their local HDs is relatively easy to do, with 
loss of no personal data.

Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list