Author: M.Prince (5 Sep 07 7:10am)
That's basically exactly right.
We do some other checks for IPs labeled "suspicious." But generally, in order to be included on the http:BL, you need to either have harvested an email address that is subsequently sent to, or posted to a trap form hidden on a honey pot.
Going forward, we're thinking of additional ways in order to more quickly move IPs that we see visiting honey pots into the suspicious category. This may include using third-party data. In some cases, we may decide that third-party data alone is sufficient to list an IP as suspicious, even if we haven't seen the IP on our network of honey pots ourselves.