On Oct 30, 2006, at 9:44 AM, Randy Bush wrote:
>>> o being put on a major DNS black list
(spamcop, spamhaus, ahbl
>>> etc.)
>>> o hosting malware or phishing sites, open
proxies
>>> o sending LOTS of SPAM, virus
>>> o IRC abuse
>>> o Botnet C&C
>>> o hoping glue/fast flux
>>> o abusive, vulnerable web servers
>>
>> Some of those are clearly ludicrous to count as
"incidents" at all
>
> oh? which?
>
> i can see some not being clearly incidents, but rather
operational
> states, e.g. a vulnerable server/service. but
ludicrous?
Well, the data sources that have a significant false
positive rate are
going to count many things as "incidents" that are
anything but.
If sending closed-loop, opt-in email is considered
equivalent to
hosting a botnet command and control network... the data is
meaningless.
In the hope of not pulling the blacklist trolls out of the
woodwork
I'm not going to be more specific as to which of those data
sources
have noticeable false positive issues, but I'm sure you get
my point.
Cheers,
Steve
|