I understood that. You temp block the MS IP that shows high failure rate, which may or may not be warranted.
My question was more along the lines of: by allowing MS IPs to mask the user's true identity, how can you identify when a mailbox has been compromised ? Thanks, Scott On Thursday, 12/12/2024 at 10:34 Francois Petillon via mailop wrote: On 12/12/24 16:19, Scott Q. wrote: > How can you tell if they are compromised if legitimate user A connects from > France via 'New' Outlook and hacker B connects from Australia via 'New' Outlook ? I'm afraid you misunderstood my previous answers. When an IP is behaving like : IP 4.233.216.98 (8075) : 2372 accounts failed (99.79%) / 2377 accounts !!! AS8075 MICROSOFT-CORP-MSN-AS-BLOCK !!! BLOCKED !!! (FR) The 5 accounts that managed to sucessfully authenticate will be considered as compromised. There is exactly the same issue with VPNs as the same IP might be shared with regular users and script kiddies. François _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
