Entities: connections, messages, sending IPs, destination email addresses and domains, sending email addresses and domains
- RBL hits per entity
- Minimum, maximum, average, mean, deviation
- Bad RCPTs per entity
- Total RCPTs per entity
I’m sure there’s more, this post will be edited as I think of them.
You can detect VERP senders by having a high correlation of sending domain and receiver email address.
You can detect dictionary attacks by having a high correlation of sending IP, domain or receiver email address and receiving domain.