RE: [Bulk] [gnso-ff-pdp-may08] Mike R's "24/7 abuse queue" proposal

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Greg asked:

#Can you clarify what you mean when you say "the Mannheim paper
#provides a similar trustworthy assessment for fast flux."  Do you mean it
#gives a human a good list of candidate sites to look at in order to consider
#domain take-downs?  Or do you mean you would automatically take down sites
#that meet the minimum Mannheim score?

I consider the Mannheim formula to provide a trustworthy measurement of the
fastflux phenomena in the same way I'd trust a thermometer to provide a 
trustworthy measurement detecting the presence of fever.

But a finding of a fastflux domain, or a finding of the presence of fever, 
should still be interpreted/reviewed by a human (in my opinion).

In the fever case, for example, should the patient receive symptomatic 
relief and be told to go home and get some rest, or is the fever a sign 
of serious infection requiring a course of antibiotics or other
treatment? 

In the fast flux case, does the available evidence support "HOLD"'ing the 
domain, or is something else going on (hypothetically, a DNS cache 
poisoning attack, for example?)

Recall my comments about while a 777 might be able to fly using only 
automation, I still like have a distinct Luddite fondness for pilots and 
co-pilots. I remain a big fan of:

-- FQDN gets nominated

-- Automated test analyzes that domain, including both its fluxiness and
   any potential cautionary indicators (as discussed earlier in conjunction 
   with the hypothetical eBay example).

-- A human being reviews the totality of the evidence, and then flips the 
   switch (or doesn't flip the switch, as the case might be)

I recognize that the last step, human review, is one which some of my
colleagues on the list disagree with, and it is unquestionably true that
some sites might elect to omit that final step, or employ it only in the
most nominal/rubberstamping fashion, but I believe it is a worthwhile part 
of the process, if only because it will provide what might be called a 
"common sense" last clear chance to catch any truely grotesque automation
issues.

Over time, if the human being never (correctly) overrides the automated
recommendation, the need for that final review may be be determined to 
no longer exist, but for something that's new, I really think you want
it in place at least until everything proves itself to be running
smoothly.

Regards,

Joe

Disclaimer: all opinions strictly my own.