Revisions for StabilityCheck

??changed:
-
**Proposed Goal**


**Assumptions:**

Legitimate senders have a different usage pattern than unauthorized senders

Legit mail has fewer IP address sources per envelope-from domain than unauthorized mail

IP addresses used to send unauthorized email are used less frequently (sporadically) and with a higher turnover of different domain names than IP addresses used to send authorized email.

**Questions which may lead to accomplishing goal or testing assumptions**



**Loopholes and proposed methods of closing them**

Unauthorized senders could attempt to fit the profile of legit senders. If they mimic legit senders by becoming stable - ie sending from the same IP addresses consistently, and/or not having a high turnover in envelope-from domains, they will wind up having their mail blocked by blacklists, either IP based or RHS (Right Hand Side.)

Any IP address use that is shared between legit and unauthorized traffic may not be differentiated by this check.