On Sat, 15 Apr 2006, Max Clark wrote:
idea would be to then take this information and create a ratio - if
the threshold is crossed then the remote ip, host, and/or domain would
be blacklisted/greylisted for a period of time.
What do you think, is there value in this approach?
You can eliminate a log of offenders right away with greylisting. Most of
the attacks I get are from zombies and get shut down by greylisting, but
there are smarter than average zombies out there which come by for seconds
and defeat the greylisting solution. I've been thinking that maybe the
best approach is to send a soft disconnect after one questionable email is
received from a given connection. That way legitimate senders will have
no problem but smart zombies are limited to one email per connection.
