Gordon Smith wrote:
The problem with that would be dynamically assigned addresses, unless you included a lookup being done against your radius databases by the SMTP proxy, so that the user can be identified.
Possibly, a better solution would be to analyse netflow data as it hits the collectors, and identify offending machines that way. By using netflow, you can extend detection of worms, etc to include all ports, rather than just port 25
Doing dynamic throttling of infected connections is much more difficult - there's not a large range of equipment out there that can do that reliably, although the Juniper ERX does spring to mind :-) But that's not a box you'd find in most ISPs
Done -- I wrote a simple detection script that parses netflow data and warns about users that are doing sustained amounts of high volume to various ports. :)