On 04/12/2015 13:26, Chris Lewis wrote:
Secondarily, if distributed processing makes throttling per id/password
pair difficult, why is it hard to do the botnet IP address matching at
the authentication point? This seems like it would avoid a _lot_ of
extra processing.
That made me think - is there a place for a distributed approach to
dealing with the problem?
If there was a "central" repository of IP addresses which have generated
failed login attempts to ANY server, then it seems to me to make sense
that you could catch them quicker - if someone tries one failed login to
5 different servers in the past hour, the chances are they are doing
something naughty, but 5 failed logins to one server may not even
trigger a warning in many cases. So, every time a server gets
'suspicious' about an IP address it can tell the repository about it,
and other servers can use something like DNS to query that repository
and act as it wishes.
I know that isn't really related to SMTP, but since it came up, it made
me think.
Probably a stupid idea, what with scaling, potential for abuse, etc, but
may be worth considering for a second or two.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp