> > Also take a note that there are no "known-compromised hosts" > > What about hosts listed in RBLs? > http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists. It > would be interesting to see if how much correlation there is > between ssh brute forcing bots and the contents of the various lists.
Maybe http://wiki.duskglow.com/tiki-index.php?page=Packetbl "PacketBL is a program that uses DNS blocklists to determine whether to accept or reject packets" Used with dnsbl.ahbl.org "Aggregate zone, contains UCE/bulk email senders, open proxies, open relays, trojaned/infected machines, comment/trackback spammers" would be a good solution.