>Well, you're part of the way there in that you've identified IPs that are definitely "bots". The trouble is making that identification process generic and reliable. Bots are like art - it's hard to describe exactly what they are, but you know them when you see them.
>
>And sometimes the IP by itself is not enough. You might have a customer with 200 users behind a firewall and a single IP. If one of those users gets infected, the bot attacks will come from that same IP. What happens in that case?
Yes, interesting problem.