We get on avg 720 Brute-Force, 160 DoS, and 15 Harvester warnings per day. Being OCD I do the following:
- Enter the IPs into a database, although a spreadsheet would suffice (keep it for at least 90 days as Spammers cycle through the same IP Ranges once a month, once every other month, once every 3 months, and once every 6 months depending on the spambot net).
- I then lookup the IP Range, Network Owner, Country and rDNS for each entry (best to script this out for a large number, otherwise you can use online tools or Linux cmds using Cygwin, or Windows utilities such as SolarWinds Advanced Subnet Calculator to do this manually)
- Once I get abuse from 3 or more IPs in the same IP Range I do a Senderbase Reputation Lookup (http://www.senderbase.org/). If the entire IP Range is Poor then I add them to my Smartermail Blacklist. If some are Neutral or Good and only the /24-/29 CIDR Block is Poor then I Blacklist just that range. If there is a mix then I just let the RBLs sort them out.
- Once I get Abuse from 3 different IP Ranges for the same Network Owner I lookup all IP Ranges assigned to them and repeat #3 for all of their IP Ranges, not just the ones hitting me (there are some Network Owners that specialize in nothing but Spam and are more than safe to block).
- Once a month I review the rDNS for all entries to find common EHLO wildcards I can use in Smartermail's SMTP Blocked Senders, and look at the Countries by percentage to determine which Countries I need to add a targeted Custom Filter or RBL for.
All in all it takes about 3-4 hours a week for our Abuse load to do this and after a year we are now blocking @ 16,000,000 connections a day by this method.
I strongly wouldn't recommend doing this if you have a similar load as we do (as you'd have to be both crazy and masochistic), but for a couple alerts a day it would be less than a minute or two of work and may pay off.
Note: Brute Force Alerts are generally caused by Bot-Nets of compromised computers and WordPress websites. They usually follow no rhyme or reason or pattern and as such there is little return in tracking/blocking them (with the exception of small handful of Bot-Nets that use the same EHLO). Harvester Alerts 90% of the time are duplicates of DoS Alerts. You could probably safely focus on just the DoS Alerts and save yourself a lot of time.