[gnso-ff-pdp-may08] About "fingerprinting"

[Dave Piscitello <dave.piscitello@xxxxxxxxx>]

When reviewing the FF report, especially in the context of characteristics
that we describe as part of a "fingerprint", please bear in mind that the
practice of matching fingerprints relies on achieving as many possible
matches as possible. A fingerprint match with only 5 points is very
borderline, whereas a fingerprint match with 12-15 points is very
convincing/conclusive.

In the context of our report, I have tried, with others, to identify as many
markers fast flux investigators have identified as being associated with a
fast flux attack as possible. In no way am I suggesting that any single of
these characteristics is cause to conclude you've identified a FF attack
network.

Think of antispam software. The presence of a single use of a popular ED
brand should not mark mail as spam. Other criteria are used by quality
antispam software to block a mail because it is spam.