RE: [gnso-ff-pdp-may08] Fast Flux Definition - V4.1

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Greg mentioned:

#Perhaps key concepts are:
#
#1.  Discerning intent very accurately requires manual examination of the
#sites involved.  One could theoretically build a solution that detects flux,
#and then scores the sites for intent.  Would you want that system to
#automatically blacklist domains?  See #2...

I probably just watched "Dr. Strangelove" too many times growing up, but I
*really like* the idea of positive manual control rather than automated 
systems running solely on autopilot. I know that a triple seven *could* 
probably fly automatically from SFO to DEN, but I still like having a 
pilot (and a spare!) just in case fly-by-wire goes awry.

So yes, I like the idea of a system that screens automatically, but which
has human review nominal results before serious negative action takes place.

The counter argument that one normally hears is "manual review takes too
long" however that is not the case if identical domains are treated en
masse. If automated screening identifies a cluster of fastflux domains, 
all of which share identical bogus bad whois data, that cluster should be
treated en bloc rather than onesie-twosie. (So I do not believe that
manual review need be so burdensome as to be infeasible)

#2.  Taking down domains is a serious business.  When taking down domains, an
#intervenor assumes risks, aspires to 100% accuracy, and does not want to
#harm innocent parties.  That's why anti-phishing personnel visit potential
#phish and check off certain criteria before they call it a phish and
#initiate a take-down. 

No argument from me. Remember, I like human pilots (and co-pilots). :-)

Regards,

Joe

Disclaimer: all opinions strictly my own.