[Top] [All Lists]

Re: [ietf-smtp] [Shutup] Levels of proposals

2015-12-04 11:03:30
On 12/04/2015 11:32 AM, Steve Atkins wrote:

If it's a bot then 95%+ of the traffic it emits is malicious, so neither 
detecting it nor using the data are limited to solely email login attempts - 
meaning the effort can be shared and the benefits multiplied. It'd be 
interesting to compare those addresses against the XBL, as one example.

Without actually seeing the data in question, I'm pretty sure that there will be a high correlation with the XBL. There has with previous analysis.

However, as a caution, the XBL (botnets) is a superset of auth-capable botnets, so blind use of the XBL on the MSA will potentially lead to a sizable number of FPs.

To explain that, consider that most botnets are (still) only capable of direct-to-MX. Hence, it's often the case that someone that is infected with a direct-to-MX botnet spewing crap can still be trusted (relatively! ;-) when submitting through their MSA. An auth-capable-botnet list can therefore be much more safe to use on a MSA than the XBL is, unless the MSA uses the XBL in conjunction with other information (eg: integration with flow or auth fail statistics).

ietf-smtp mailing list