In #771 we created a detailed blacklisting guideline which however is rather conservative especially when it comes to aggressive campaigns which repeatedly spam a large number of apparently unrelated domain names which are however part of the same coordinated attack.
To start the discussion, I would like to propose that we define "current campaigns", tentatively to something we can group as related over the last week or so, and for new spam incidents which belong to one of these current campaigns, lower the thresholds.
To review, the current thresholds are 5/5 for below auto and less than 6 months, falling back to 10/10 over a year, or 20/20 over a longer time.
For current campaigns, I would lower these thresholds to 3/3, 5/5, and 10/10.
We should also say something useful about x/y where y>x. This case is currently not covered, and casual reading would suggest "do not blacklist under any circumstances if there are false positives". That is arguably much too strict.
Quick show of hands, please? Thumbs up = let's discuss, thumbs down = the current guideline is fine.
https://charcoal-se.org/smokey/Guidance-for-Blacklisting-and-Watching
Most helpful comment
Quick show of hands, please? Thumbs up = let's discuss, thumbs down = the current guideline is fine.
https://charcoal-se.org/smokey/Guidance-for-Blacklisting-and-Watching