Configuring directory harvest attack recognition

http://seer.entsupport.symantec.com/docs/321878.htm

Thanks.  I've read the manual.  I'm looking for user experiences (pro/con) of using longer penalty times, or lower thresholds.  And the idea of using this as a source for local bad sender's IPs

Attached PDF for about 3 days. attached

I think it's not a good idea to put those IP addresses in the "Local Bad Sender IPs". Here is my thinking:  Since most of the IPs would be dynamic and may later be assigned to senders trying to send legit messages, you will not be able to receive messages from them and they will have to contact you to get the IP address removed from your local list.  This puts the additional burden of micro-managing those IP on the admin. 

I see that one of the IPs (203.87.178.17) in your report (I did not check other IPs) already has a "negative reputation" in Symantec IP Reputation database.  I would rather let Symantec manage those IPs based on its global intelligence network.  But if you are willing to take on the additional administrative burden and faily certain that you have not and will not receive legit messages from those IPs, then may be it's not a bad idea to add those IPs to the local list.

Regards,

Adnan

I agree that the admin burden is probably not worth the trouble.   I'm not so sure about "dynamic" address moving to legitimate senders being an issue... but I do have vendors who are on "DSL" space per IP2Location.com data.

I'm thinking that I might want to may the penalty time longer - say 2-3 hours as I think most legit senders will retry for at least 4 hours before notifiying their users.

Thanks.