I've done some research on spam-fighting and dnsbls - there seems to be a lack of a general-purpose crowdsourced IP-harvesting/honeypot project.
- If there is any bad activity from an IP (ssh-breakin-attempts, spamming attempts, wiki/forum spam, etc), it makes sense to blacklist the IP for any purposes. It is likely that a compromised host or IP-address will be abused for multiple purposes, and hopefully it will cause people to take action, seeing that they get blocked from more and more services.
- Focus on "real time". Insignificant delays between the first report that the IP has been involved in "bad activity" until the IP is blacklisted. Short retention periods for IPs that have been reported only once.
- Open up for total crowd sourcing - let anyone register a user account to report IPs to be blacklisted and IPs to be whitelisted or delisted - but at least it should be required with a valid email adress.
- Request a delisting - very automated process, but the delister should prove some kind of control of the IP. Select-button for "reason for delisting", including "reused IP", "security problem cleaned up", and "false reporting".
- There should be some sanctions for users that frequently request delisting of IPs, which are later relisted, and for users that falsely request blacklisting, etc.
- Some small profits can be made i.e. by selling consultancy services (including "help for delisting").
- Collateral damage: Collateral damage may be acceptable if:
- it makes an incentive for ISPs and neighbours to push for improved security.
- it may be a necessary evil - especially for IPv6, it may be necessary to block a larger sub-net to efficiently block out spammers, but there are also people out there having access to bigger ranges of ipv4, or having dynamic IP-adress which is picked up from a big pool on every reconnection attempt.
- it may be pure necessary to be able to block out attacks