p0f

Olivier Olivier.Nicole at cs.ait.ac.th
Wed Sep 14 09:16:57 CEST 2016 

Christian,

A couple of ideas,

You mentioned that you se traffic on the port 50000, have you tried to
analyze that traffic (with wireshark)? I attach some valid traffic
betwen amavisd-new and p0f (on port 2345), so you can compare to the
traffic you see.

Also, you should increase the logging level or amavisd-new, so you can
see what's going on inside. I have logs that say:

Sep 14 13:53:04 mail amavis[21274]: (21274-07) spam-tag,
<XXX> -> <on at cs.ait.ac.th>, No, score=3.801
tagged_above=0 required=5 tests=[BAYES_00=-1.9, JMQ_SPF_NEUTRAL_ALL=0.5,
L_P0F_Linux=-0.1, ...] autolearn=no autolearn_force=no

Sep 14 14:00:13 mail amavis[21677]: (21677-05) OS_fingerprint:
192.0.46.81 -9.562 ham.Linux - Linux 3.11 and newer; dist: 14; link:
Ethernet or modem; params: none; raw_mtu: 1500; raw_sig:
4:50+14:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0

In my amavisd-new config I have no $allowed_added_header_fields but in
an archived spam message I see:

X-Spam-Status: Yes, score=6.101 tagged_above=0 required=5
        tests=[BAYES_00=-1.9, JMQ_SPF_NEUTRAL_ALL=0.5, L_P0F_Linux=-0.1,
        ...] autolearn=no autolearn_force=no
X-Amavis-OS-Fingerprint: Linux 3.1-3.10; dist: 15; link: Ethernet or modem;
        params: none; raw_freq: 250.01 Hz; raw_mtu: 1500; raw_sig:
        4:49+15:0:1460:mss*10,4:mss,sok,ts,nop,ws:df,id+:0; uptime: 122 days 3
        hrs 17 min (modulo 198 days), [XXX.XXX.XXX.XXX]:58723
	[141.42.206.35]:44214

If the message is not spam, I will only get the X-Amavis-OS-Fingerprint:
like for your last message in this thread:

X-Amavis-OS-Fingerprint: Linux 3.11 and newer; dist: 16; link: Ethernet or
	modem; params: none; raw_mtu: 1500; raw_sig:
	4:48+16:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0,
	[141.42.206.35]:44214

Best regards,

Olivier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p0f.tcpdump.pcapng
Type: application/octet-stream
Size: 1636 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20160914/aea7d460/attachment.obj>

More information about the amavis-users mailing list