In order to keep an eye on IP addresses that create a lot of FxA accounts over a long period of time, we could keep a histogram-like structure which would: 1- display the top-10 IP addresses with the total number of accounts created (text form) 2- have a configurable blacklist of IP addresses to ignore (e.g. Mozilla offices, large carrier NATs) 3- send email alerts when an IP address reaches a threshold I suggest we start with 1 and 2 and then use the data collected to determine what a good threshold would be.
Not sure what alerting on an absolute total buys us. i.e. if an IP address created X accounts we alert? (when it could have be over a month, quarter, or year) We will already catch anyone that has heavy daily activity and they cannot really roll up big long term numbers without triggering it. Other notes: - Define 'long period' - Top ten over a long period can hide up and coming IP addresses. i.e., IP address x.x.x.x may have had 1M creations last month but none since do you want it to obscure an IP address that had 100K creations this week. - it would be a whitelist but yes that would be useful
The underlying idea was to detect IPs that might be creating a large number of accounts but doing so slowly, since, as you point out, we already detect heavy daily activity. I'm assuming here that someone who creates an account every hour would not be caught by our existing alerts, even though they would be creating close to a thousand accounts every month. I have no idea about the alert threshold, so perhaps we need to watch the data for a few weeks and build up our blacklist first before we think about email alerts. In terms of "long period", I was thinking somewhere between 1 week and 3 months. Maybe it would be useful to have a weekly top-10 and a monthly top-10?
You need to log in before you can comment on or make changes to this bug.