1 - Local Blacklist and limbo cache - Create the Ability to reject an entire class C of Ip's if more than "x"number of  ip's from that class C is listed in the limbo or blacklist cache.  This could be on a temporary basis or permanent basis

 

2 - If an ip is added to the limbo or blacklist cache more than "x" times in "y" days, then ip will be added to a permanent blacklist - such as honeypot blocked ips.

 

Comments Anyone?

 

Jeremy

 

Heres something I have been doing. I setup an extensive honeypot email address list, based mostly off what Im receiving in quarantine. If I see the same address getting hit over a few days, and I know we definatly dont host it, I add that email address to the honeypot. This works great for the most part, but, some jerks out there send these emails from good servers like yahoo or verizon, and then those servers land in the blockedbyhoneypot ips, but this doesnt happen often.

 

What I do after that is take the list of IPs, maybe once a month, import them into an MS Access table and query the data, asking it to show me all Class Cs with more than lets say 5 unique hits. I take any it finds and I block the whole Class C in the local ip blacklist file. I then clear my honeypot ip file and start over. This works well and avoids false positives.

 

 

 

I would also like to expand on it. It's just whats the best way to make use of the Limbo\Cached IPs. Maybe if the program could log to the local blacklist a Class C based on a # of unique addresses in the Limbo\Cache. This option of course would be turned off by default, and tailorable to how many unique IPs you want to see before you block the Class C.