Researchers Build TCP-Based Spam Detection

itwbennett writes "In a presentation at the Usenix LISA conference in Boston, researchers from the Naval Academy showed that signal analysis of factors such as timing, packet reordering, congestion and flow control can reveal the work of a spam-spewing botnet. The work 'advanced both the science of spam fighting and ... worked through all the engineering challenges of getting these techniques built into the most popular open-source spam filter,' said MIT computer science research affiliate Steve Bauer, who was not involved with the work. 'So this is both a clever bit of research and genuinely practical contribution to the persistent problem of fighting spam.'"

Why do we keep doing this?

[damn_registrars]

People are looking at the wrong end of the problem with much of their efforts - and this is just another example of that. You cannot solve spam with filtering, detection, or legislative actions. We've seen time and time again that those are just time and money-sucking stopgap measures that ignore the reality of the situation.

We won't see a real solution to the spam epidemic until people acknowledge the simple truth that spam is an economic problem. There is still a lot of money to be made by sending out spam, with very little expense for the spammer. The profit margin is high enough that it is well worth their while to find various ways around filters and any other silly mechanisms we throw at them.

If you want to make an actual difference in the fight against spam, you need to approach the economic motivations behind it. If you stop of the flow of money to the spammers, you will stop the spam as well. Because no matter how much some people may want to believe otherwise, spam isn't sent just to piss you off and ruin your day. Spam is sent out because spammers are paid to do so. If they don't get paid, they won't send spam, it is as simple as that. Any other kind of countermeasure only prolongs the fight and throws more money in the wrong direction.

Re:Why do we keep doing this?

great. so what do you propose? banning advertisements and referral programs? because I think most of us would be 100% behind that

Re:Why do we keep doing this?

[bhtooefr]

Here's an idea - recipient's SMTP server refuses e-mails unless they get 0.01 cents with it.

Re:Why do we keep doing this?

[marcosdumay]

Not everybody is rational, even less so with their marketing expenses. Really, most companies don't even know the return of their marketing expenses, thus they can't act rationaly.

Also, filtering is great for reducing the results of spam, including spammer revenue. There is no reason not to do both, educate users and filter spam.

Re:Why do we keep doing this?

[Tom]

The economic side has been tackled as well, and it turns out that it is not easier than the technological side. More importantly: It involves politics, and politics move slowly on all problems of the commons (i.e. low impact on many people).

Re:Why do we keep doing this?

[wbr1]

For the same reason we have security theater.
For the same reason we have a 'War on Drugs'.

We seem to be blind to the fact (as a society or a government), that you cannot legislate or regulate a cure to a problem. People will always do what seems in their best interest, be it recreationally, economically, or otherwise.

Very little our government does actually address the core issue, it just places band-aids on top of it. This, I think at least partly because a democracy is a system of compromise and once you have compromised the strength of many solutions is sapped by that compromise. This is not to say that it never works, but it is degrading quickly. Creating stop-gap solutions and band-aids helps those in power feel like they have made a difference, and for the most part the willfully uninformed public follows and agrees.

As a case in point take the drug war. It would be unfeasible to say shoot all smugglers and dealers. It is also impossible (in our current society) to say legalize all drugs. Instead we have a multibillion boondoggle of a system to try to stop and regulate illegal drugs, and it has never worked. In addtion, even though it is obvious that it doesn't work, there are those who benefit from it's existence and will push to keep it even if it is a failure.

There will always be those who find it better to game the system than to stay within it.
There will always be a disenfranchised group who feels they have to act differently than the norms for the interest.
There will always be those who feel they have the tight to abuse or prey on others.

Re:Why do we keep doing this?

[Halo1]

The same can be said about pickpocketing, burglary and almost any other kind of crime. As long as technical measures can help with partially or temporarily alleviating the problems without causing disproportional side effects or requiring disproportionately large investments (i.e., not TSA nonsense vs terrorism, but more like door locks vs breaking and entering), I don't see what the problem is with developing and deploying them.

Re:Why do we keep doing this?

[robot256]

Then every email comes with a traceable credit account and anonymity goes out the window...It is a good idea, but it will take some interesting creativity to resolve that problem.

Re:Why do we keep doing this?

[t00le]

All we need is a global white list that allows trusted communication between peers. In the event spam is being sent from a member of the white list all of the email from that party would be flagged as suspect for 24 hours, then change to spam until the issue is rectified.

The problem is the lack of response from certain parts of the world, where I block tcp/udp connections from already. I have no issues with allowing people to communicate freely, but I have no issues with my libido and no need to buy Xanax.

Re:Why do we keep doing this?

[damn_registrars]

Also, filtering is great for reducing the results of spam, including spammer revenue

Actually, it isn't, for at least two reasons:

• The people who are willing to invest time and money in filtering aren't likely to click through and buy something based on spam any ways.
• Total spam volume continues to increase in spite of filtering, which indicates it has not had any meaningful effect on the rewards for the spammer

There is no reason not to do both, educate users and filter spam.

Those are the two least useful tactics you can pursue. You would be better off praying to the flying spaghetti monster for a solution. My proposal is to actually get involved in the financial transactions that keep the spammer in operation; the people who are paying the spammer, the people the spammer is paying, and the other associates who are also getting a cut in on the action.

Unlike filtering, this has already been shown to be effective.

Re:Why do we keep doing this?

[realityimpaired]

There's also nothing to stop the spammers from forging the credentials of some other organization. Then we'd be hearing about Anonymous sending billions of spam messages, pretending to be BoA...

Re:Why do we keep doing this?

[kelemvor4]

Anonymity is not a feature inherent in e-mail.

Re:Why do we keep doing this?

[Mister+Whirly]

Yes, paying for all email. I can't see any drawbacks to that solution.

How about instead of elecrtronic mail, we devise a system where people write letters on physical paper and then we deliver those letters to the recipients. We could charge a nominal fee for the delivery, and that should end all "junk mail", right?

Re:Why do we keep doing this?

[damn_registrars]

The economic side has been tackled as well, and it turns out that it is not easier than the technological side.

In a way, though, it is. There are actually fewer actions that need to be taken from the economic side than from the technological side; indeed economic actions can have very measurable and lasting effects in a short amount of time while technological actions are generally worthless.

More importantly: It involves politics, and politics move slowly on all problems of the commons

You may have misread me on that matter. Economic solutions are not inherently political, even though politics is inherently tied to economics. However, the companies who are on the financial take in the matter can be influenced without the necessity of legislative action.

Re:Why do we keep doing this?

[mcavic]

Yes, but how much spam do you get each day, versus how much paper junk mail? Filtering spam is basically an all-day task, but sorting paper mail takes me 30 seconds. Implementing a per-email charge would be almost impossible to implement well, even if people are willing to pay it. But it would eliminate the problem that sending 1 email costs the same amount of money as sending 1 million emails.

Re:Why do we keep doing this?

[wkcole]

Here's an idea - recipient's SMTP server refuses e-mails unless they get 0.01 cents with it.

Don't bother trying to patent that idea. It has been proposed and even tried many times.

One problem with it is simply that there is no reliable mechanism in place to identify the responsible sender of every piece of email. Internet email is not a single system, but rather a loosely confederated mob of independently operated systems that mostly use a common set of protocols. Most email these days is spam, sent mostly by hijacked machines, of which most is rejected easily by most receiving systems. The bulk of spam that makes it to user inboxes is either being sent in ways that are intentionally deceptive and often using stolen resources or is arguably not really spam because it is pursuant to some formally (if ignorantly) accepted agreement to be sent mail. Neither of those is easily addressed by making rules for people to follow. The first set are not going to follow any new rules and the latter are working within the letter of the existing rules.

Re:Why do we keep doing this?

Anonymity is not a feature inherent in e-mail.

Yes it is. Anybody who can telnet to port 25 can send anonymous e-mails.

Re:Why do we keep doing this?

[Mister+Liberty]

they get 0.01 cents

Did you really mean only 1/100 of a cent?

Re:Why do we keep doing this?

[Stormthirst]

And who would run the white list? The government? Which government?

Re:Why do we keep doing this?

[robot256]

Anonymity, maybe not. But pseudonymity darn well is. Just think what the lawyers would do if every email address on every forum post could be subpoenaed unequivocally back to credit account and a person. It would be a hay-day for not only every vain celebrity crying "slander" but also the Sonys and RIAAs of the world looking for "violation-inciting behavior".

Re:Why do we keep doing this?

[Arrogant-Bastard]

Actually, you're wrong. The problem is NOT economic. It'd be nice if it was -- because some obvious interdiction paths could be used. But it's not.

The spam problem is behavioral: spammers are sociopaths. That's why there are no ex-spammers: they can no more stop spamming than a pedophile can stop molesting children. They're (pick your terminology) mentally ill, sick, etc.

How do we know this? Because we can observe (and we have observed) that they continue spamming even when there's obviously no profit in it, nor any realistic hope of any profit in the future. They're not all/always doing it for the money.

Now...it's certainly true that some spammers do make a profit; certainly the spammers-for-hire that have adopted the guise of "responsible companies" do very well, well enough to hire skilled propagandists who paint them as professional email service providers -- even though they're just spammers with better suits. But that doesn't change their underlying motivation: doing what spammers do requires someone who's devoid of basic human compassion, remorse, responsibility, empathy -- all the qualities that enable people to relate to one another. And there's no easy/obvious fix for that.

Re:Why do we keep doing this?

[shentino]

First, a side note:

Spam is profitable only if you ignore the costs absorbed by people whose computers get hijacked into botnets that send the stuff.

In much the same way that grow ops are cheap when you jump the meter and rip off the electric company.

In both cases the perpetrators get away with securing a windfall because they dump their cost burdens on unwilling participants.

Now for the main point:

How is most spammed product paid for?

Re:Why do we keep doing this?

[shentino]

At least with postal spam they have to print and mail it at their own expense.

Electronic spam is even worse since often the sending is slaved to botnets full of hijacked computers and the costs are diverted to unwilling participants.

Re:Why do we keep doing this?

[shentino]

It's a problem that refuses to be solved since cutting off the flow of cash to spammers requires pissing off special interests that have the government in their pockets.

Re:Why do we keep doing this?

[damn_registrars]

When you have something that is 0.000001% effective and you can still make millions, there is no free market way of stopping it.

You're wrong on that. There is a free market way to do it. You can stop spam on the market by getting the businesses who currently do business with spammers to stop. Some of them aren't even aware they are working with spammers because they are working in large volumes and the spammers are small fry. Some of them are two or more degrees away from the spammer and might never make direct contact with them. Nonetheless, if you can interrupt the money flow, you can stop spam.

Re:Why do we keep doing this?

[shentino]

The biggest problem with spam is that spammers are cheating on expenses and getting away with it.

I guarantee you spam would drop in a hurry if there was some way to make a spammer eat his own IT bills. At present the ones who REALLY pay for spam are gullible boobs who let their computers get hijacked.

Re:Why do we keep doing this?

[damn_registrars]

At present the ones who REALLY pay for spam are gullible boobs who let their computers get hijacked.

Correction - the boobs pay for about half the costs of spam. You are correct that spammers themselves pay a negligible portion.

However, the rest is paid by every person who accesses the internet, in any way, shape or form. Spam is consuming bandwidth, which costs users money even if their own machines are not propagating it. Spam is also consuming storage space on email servers, even if users never read it. Spam is consuming CPU time when filters are running, and spam is consuming human time to adjust those filters.

Spam is, in a very real way, driving up the cost of using the internet. And those costs are faced by everyone. To make matters worse, no amount of filtering will ever end the problem, or even reduce those costs that I just mentioned because the filters do nothing whatsoever to prevent spam from being sent out.

The only way to stop spam from being sent out is to remove the incentive for sending it out from the spammers. As we all know, spammers send our spam because it is profitable, so interrupting the flow of money to the spammer will remove that incentive, which will result in lower spam volumes. This has already been demonstrated as an effective technique.

Re:Why do we keep doing this?

[damn_registrars]

How do we know this? Because we can observe (and we have observed) that they continue spamming even when there's obviously no profit in it, nor any realistic hope of any profit in the future.

That is simply not true. There is plenty of money to be made in spam, and it is the motivating force behind it. The spammers that make the news when they get caught (almost always on other offenses) are especially wealthy relative to their home countries. Furthermore, the total investment for a spammer is minimal; they really just need to be able to talk a good game and get some time on a botnet to be able to make money fast. As we've seen, each time a spammer is thrown in jail or murdered , the spam volume at best remains the same (more often, it increases) because it is profitable.

Your very notion of spammers being inherent sociopaths simply makes no sense. If they just want to aggravate people electronically, they could do it by trolling discussion forums and not have to worry about what side of the law they are on. They are not all mentally ill, they are all just looking to make a buck. And many of them - have you ever looked at the lists on spamhaus? I'm guessing no - are from former second-world or current first-world countries where economic opportunities are scarce.

Re:Why do we keep doing this?

[MrLizardo]

Also, filtering is great for reducing the results of spam, including spammer revenue

Actually, it isn't, for at least two reasons:

• The people who are willing to invest time and money in filtering aren't likely to click through and buy something based on spam any ways.

The people who operate the filters != the end users of the mail system.
End users pay for the cost of operating the filters by seeing advertisements in their webmail or paying for the email service. And yes, this has been working well to prevent the vast majority of spam (something like 99.9% according to my GMail account) from landing in inboxes for 15 years or so at this point.

Re:Why do we keep doing this?

[tlhIngan]

We won't see a real solution to the spam epidemic until people acknowledge the simple truth that spam is an economic problem. There is still a lot of money to be made by sending out spam, with very little expense for the spammer. The profit margin is high enough that it is well worth their while to find various ways around filters and any other silly mechanisms we throw at them.

If you want to make an actual difference in the fight against spam, you need to approach the economic motivations behind it. If you stop of the flow of money to the spammers, you will stop the spam as well. Because no matter how much some people may want to believe otherwise, spam isn't sent just to piss you off and ruin your day. Spam is sent out because spammers are paid to do so. If they don't get paid, they won't send spam, it is as simple as that. Any other kind of countermeasure only prolongs the fight and throws more money in the wrong direction.

The problem is, you assume the one making the profit is the spammer, which is incorrect.

In the traditional spam model (emails sent for marketing, not distributing viruses to either control your machine or to keylog/proxy for your financial info), there are three entities.

First, you have the victim, you and me, who get their inboxes flooded. Enough said.

Second, you have the spammer. They advertise their "marketing services" - something like $100 for 10,000,000 emails.

Third, is the spammer's customer - the business buying spamming services.

The customer buys the services of the spammer - let's say $100. Spammer makes $100 profit, the customer is out $100 in marketing budget. Spammer then sends the emails. At which point, most of the victims don't even see it as a filter sends it to the bitbucket. Of the few remaining, most just delete it.

And there's zero feedback. The customer may or may not make that $100 marketing back in sales from that marketing campaign.

But to the spammer, it doesn't matter - they got paid ahead of time with no guarantee of results. And if the customer doesn't come back, no big deal - there's a lineup of other businesses needing "marketing services".

And most businesses don't have the ability to see that they spent $100 marketing to get orders that raked in only $10 in profit.

It's just like groupon - you get people to come, but the business never realizes that it's a really an expensive way to get the few new repeat customers.

Re:Why do we keep doing this?

[Belial6]

Yeah, that list if funny, but it is not something to be taken seriously.

Re:Why do we keep doing this?

[Tom]

Spammers don't have a lobby. There is no special interest working for them, it's simply that the problem is so distributed that few people really care about it all that much.

Re:Why do we keep doing this?

[Tom]

In a way, though, it is. There are actually fewer actions that need to be taken from the economic side than from the technological side; indeed economic actions can have very measurable and lasting effects in a short amount of time while technological actions are generally worthless.

Do you say that as an economist or as a technician? Because I would take a bet that the other side would say the same thing, only in reverse.

You may have misread me on that matter. Economic solutions are not inherently political, even though politics is inherently tied to economics. However, the companies who are on the financial take in the matter can be influenced without the necessity of legislative action.

If it were that simple, someone would have done it by now, don't you think? If it is just that nobody has done it, then why don't you?

Re:Why do we keep doing this?

[damn_registrars]

If it were that simple, someone would have done it by now, don't you think?

It has been done, it's even been discussed on slashdot before. And it is far more effective than filters can ever hope to be.

Re:Why do we keep doing this?

[damn_registrars]

But to the spammer, it doesn't matter - they got paid ahead of time with no guarantee of results. And if the customer doesn't come back, no big deal - there's a lineup of other businesses needing "marketing services".

You made an error yourself in that statement. The vast majority of spam is not for existing domains, but rather for new ones. You can verify this yourself by looking through old spam; if you look at a spam message from a month ago and look at the spamvertised domain you will find it is not the same spamvertised domain that was listed in today's spam, even though they are selling the same products and using all the same web graphics, code, and template.

Furthermore if you run a WHOIS on domain that was spamvertised this morning you will likely find that domain was registered in the last week or so. While indeed the two domains are likely owned by the same group, moving their operation from one web host to another as they get discovered and shut down, the old spam is of no value, nor are returning customers important.

Which is why the spammers services are important to the owner of the spamvertised website, and why the spammer is getting paid nicely in the process. The only way that people find their way to these sites is via spam, because the sites aren't around long enough to be found in a search engine.

Re:Why do we keep doing this?

[shentino]

No, but the credit card companies people use to pay for V14GR4 do...

Re:Why do we keep doing this?

[bhtooefr]

Yes, I did, I'm not using Verizon math.

The idea is to keep things cheap for legitimate e-mail senders (e-mail providers could even soak up that cost), but it becomes a noticeable cost once you're sending tens of thousands of e-mails.

Re:Why do we keep doing this?

[Tom]

It has been done, it's even been discussed on slashdot before. And it is far more effective than filters can ever hope to be.

Then why do I keep getting spam?

Many anti-spam solutions were extremely effective the first time around - until the spammers adapted. I remember when greylisting cut your spam to almost nothing. It seems to have almost no effect these days.

Re:Why do we keep doing this?

[kelemvor4]

Just because you know enough about a system to exploit it's weaknesses does not mean that the exploit is a "feature".

Won't work

[sakdoctor]

Even if the spam click-though rate is 0.0%, there are still enough suckers born every minute to buy the service of spammers.

Fix email to work like IM...

[DraconPern]

The best way to fight spam is do what IM systems has been doing, by whitelisting. So, 1st email triggers a white list query, and the rest wil be invisible... May be do this on a per ip or per domain basis...

Re:Fix email to work like IM...

[mcavic]

Accepting email only from addresses or domains on your white list is a decent idea, as long as you check your spam folder every day for legitimate mail from new people. Otherwise, it's cumbersome to have to add someone to your list before they email you. You would need the ability to whitelist a whole domain, though, such as amazon.com, etc... something that address books usually won't let you do.

Skip the ITWorld article

[wkcole]

I'm sure 'itwbennett' would rather everyone go to his employer's website to read that article, but it is clearly not written (or edited) by anyone who has any basic clues about spam-fighting. Just reading the subtitle makes me cringe for the unfortunate "journalists" lassoed into writing it, as it was clearly done by spam neophytes in a desperate scramble for click-scrounging content. The article is vaguely about a paper presented almost a year ago at LISA '11. There are links to an abstract and the original paper at the LISA '11 site: http://www.usenix.org/events/lisa11/tech/

The general space of sniffing out spam by looking at TCP characteristics has been mined for years usefully with Symantec and MailChannels both offering proprietary tools that use such techniques and some open DNSBL's using TCP sniffing to identify sources, but it would be incorrect to believe that any one methodology will ever be a magical silver bullet against spam.

Looks like a copy of someone else's work...

[DaveGillam]

This REALLY sounds like a copy of Sendmail Inc.'s Rate Control component, which has been deployed to many sites for the last several years. Rate Control allows the admin to throttle or otherwise block email that breaks various TCP-related thresholds (messages/second, bad recipients/second, connections/second, etc.). Further, recent real world indications show that spammers are sending fewer spams per second from individual IP addresses--they make up the volume by increasing the size of the botnet, and coordinating activity so that not too many bots hit the same relay at the same time. This is why Rate Control added an IP Reputation subcomponent a couple of years ago.

It appears these Navy guys have simply come up with a tool that has already existed for years.

As far as being a solution to spam, I agree that spam is 99% a financial problem. The problem with attacking it as such, is that one tends to also hurt legitimate endeavors. If all the advertising were removed from the Internet, there would not be much of a non-commercial Internet--the advertising tends to keep many things free or very cheap. Also, education is great, but as soon as you teach one person to not fall prey to spam, there's another person born who will fall prey. Thus you need to do many things in concert to fight spam--educate, identify, legislate, prosecute. The closer to the front end we can identify spam, the more cheaply we can block or redirect it. Why redirect it? For prosecution and legislation reasons. If you can identify where the money goes, this evidence become important to justify cutting off the ability of that spammer to get funds--credit bureaus, etc.

Re:Looks like a copy of someone else's work...

[MightyMartian]

Postfix has had throttling for several years now, based on the same basic concepts. I use Postfix with greylisting and to be honest, my Spamassassin and ClamAV filters rarely get hit. Since at least big spam attacks are by bots, and bots are primarily designed to just shove as much through as possible, greylisting alone does a spectacular job of killing them, though sometimes people get pissed when messages take a while to get to them from a recipient the first time.

Re:Looks like a copy of someone else's work...

[kwark]

So the first defense of greylisting has been defeated (I'm not seeing this in my logs though). But that still leaves the second advantage gained by it: by the time they get back to your smtpd they hopefully will be blacklisted.

Re:Looks like a copy of someone else's work...

[Smask]

The flood of spam from Yahoo accounts is because of "porn" or "warez" sites that loads an hidden iframe on Firefox. This iframe opens the user's Yahoo account and spam everyone in the address book. Only Firefox have that problem with hidden iframes and Yahoo mail.

Re:Looks like a copy of someone else's work...

[allo]

maybe you need to increase the greylist-period. Most bots run at dsl accounts, which means they will get a new ip approximate every 24h. When you require a period of 24h for unknown senders, they will not be able to resend it.

Of course only a possible solution, if you do not need to get your e-mails as soon as possible. But when you need to, you do not want to use greylisting at all.

Please stop

[WaffleMonster]

I've always wondered how seemingly smart people can act so stupidly totally oblivious to the repercussions of their actions.

What happens when a busy computer that would cause it to naturally act in a similiar matter as a botnet zombie sends an email and that message is then flagged as spam?

Spammers are no fools or dinosaurs. They will simply adjust their spamming rate in zombie client below the threshold needed to induce effects needed to trigger the detection scheme.

End result as always is the same:

It won't stop anyone from spamming

It WILL make SMTP based Email even more unreliable than it currently is.

Re:Please stop

[DamonHD]

This rather assumes that every MTA will have the same threshold. It is not necessary (or helpful) to have a security monoculture.

A very simple first defence against such rate tuning is to randomly vary thresholds substantially between systems and from time to time.

Rgds

Damon

95% accuracy

[Nikademus]

While 95% accuracy at detecting spam may sound like "wow", it's a very low rate. Simply using correctly configured greylisting gives an accuracy in the 99% range. So I doubt this technique really improves anything but it will allow to say 'we did it another way'. Given than more and more spam comes from official mail relays, accuracy will only increase when analysing the body of the mail.

This isn't a new technique...and it's inaccurate

[Arrogant-Bastard]

First, we've known for many years that IP-level techniques can deal with a lot of spam. For example, using the Spamhaus "DROP" list in perimeter devices is so incredibly effective that anyone who isn't doing it may summarily be declared incompetent. As another example, perhaps more germane to this paper, see http://use.perl.org/~merlyn/journal/17094 -- which demonstrates how to use passive OS fingerprinting in the BSD pf firewall to throttle traffic from Windows systems. (I presume everyone is well aware that bots are nearly always hosted on Windows systems; my own research indicates that despite inroads by attackers into non-Windows hosts, the probability that any given bot will be found to be on a Windows system is still comfortably above 99.999%.) The technique shown by poster "merlyn" in that example from 2004 can readily be extended and combined with others.

Second, 95% true positive rate is impressive for a single measure, BUT we must also consider the false positive rate, and we have to consider the resource cost necessary to achieve this number. Frankly, doing this inside SpamAssassin is very inefficient -- this is a function that can be handled either in the firewall or in the MTA, or perhaps in a combination of the two. There's really no need to invoke something as heavyweight, slow and complex as SA. (Nor is this desirable: the more complex the anti-spam architecture, the more difficult it is to tune properly and the more susceptible it is to gaming.)

Here's the TL;DR version: if a host passive-OS-fingerprints as Windows then it's suspect. If it does that AND (lacks rDNS OR has generic rDNS) it's a bot.

In other news 99%

[stabiesoft]

of all spam comes from dynamic addresses. Their method (95%) is worse than simply rejecting all email from dynamic IP's. I find greylisting dynamics for 36 hours and statics for an hour filters over 99% of spam. If one gets thru, I just blacklist the IP.

Been doing this for years

[1s44c]

I've been doing this for years.

I use p0f to detect connections coming from windows and greylist them. Very little genuine mail comes from windows based mail servers.

I find there is little point greylisting mail from unix machines as very little spam comes from them.