<gep2(_at_)terabites(_dot_)com> wrote:
Absolutely, and that's a good reason why blocking by
either IP address or domain name is such a bad solution.
A fine-grained whitelist which specifies ALLOWED behavior
on a per-sender basis, on the other hand, can easily allow
or block messages from a given sender ON A
MESSAGE-BY-MESSAGE basis, so that their legitimate
messages get delivered but the (zombie) messages being
sent by their same (infected)machine, using the same mail
servers and same permissions/certifications but which do
not look the way that sender's messages are expected to
look (by the recipient!) are efficiently and accurately
identified and blocked.
So "rehabilitation" isn't even an issue.
So the zombie becomes unable to emit spam, but there's no incentive to
fix it so it's still available to the botmaster for use as a C&C
machine, web/DNS server, and DDoS participant. I'd prefer that it get
uninfected.
Seth
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg