On 12/04/2015 11:32 AM, Steve Atkins wrote:
If it's a bot then 95%+ of the traffic it emits is malicious, so neither
detecting it nor using the data are limited to solely email login attempts -
meaning the effort can be shared and the benefits multiplied. It'd be
interesting to compare those addresses against the XBL, as one example.
Without actually seeing the data in question, I'm pretty sure that there
will be a high correlation with the XBL. There has with previous analysis.
However, as a caution, the XBL (botnets) is a superset of auth-capable
botnets, so blind use of the XBL on the MSA will potentially lead to a
sizable number of FPs.
To explain that, consider that most botnets are (still) only capable of
direct-to-MX. Hence, it's often the case that someone that is infected
with a direct-to-MX botnet spewing crap can still be trusted
(relatively! ;-) when submitting through their MSA. An
auth-capable-botnet list can therefore be much more safe to use on a MSA
than the XBL is, unless the MSA uses the XBL in conjunction with other
information (eg: integration with flow or auth fail statistics).
ietf-smtp mailing list