OS Fingerprinting used to help identify spam

Very cute little article on the use of p0f in the fight against spam: Justin Mason: Happy Software Prole: Some p0f Data From Craig.

In a nutshell: p0f is a utility that passively monitors network connections and identifies the operating system being run by the remote host. (Similar to queso, but passive and safer.) Craig Hughes has compiled statistics on which operating systems are more likely to transmit spam. Not surprisingly, Windows boxes transmit mostly spam while Unix boxes do not. Windows boxes transmit between 60 and 100% spam, with the more modern versions tending to transmit the most spam. Linux boxes transmit 18.3% spam while FreeBSD and Solaris transmit less than 2% spam.

The numbers are not definitive enough to be used for spam filtering on their own, but they would make an excellent input to Bayesian filters.

The article does not discuss the reasons Windows boxes are more likely to send spam than legitimate email, but it's easy to speculate. First and foremost, Windows boxes are the ones being hijacked and turned into Zombies. Secondly, spamming software is generally written for Windows boxes. Thirdly, the mail servers of legitimate ISPs are usually running one of the Unix variants.