I'm looking for some (hopefully) trivial clarification by the developer(s) about the plugin's logic. It's about the logic of the http:BL plugin which uses the same two threshold / cutoff values as the API, of course: age and threat level. What I don't understand is the logic of the age evaluation. There are two possible scenarios:
- That value serves as a outer limit of a period akin to parole in a criminal law sense - i.e. if a visiting IP has been seen elsewhere and within this set period by the API with "bad" activity, then that particular IP will be blocked;
- That value serves as the outer limit of a grace period; i.e. if a visiting IP has been seen elsewhere and within this period then it will be allowed in.
The significance is this: if it's the first of the two, then a higher value means better protection (the net is wider, as it catches older offenders while it always catches recent ones). If however it's the second, then a lower value means better protection.
The snag with case #2 is that unless the value is set to zero the typically more serious / troubling very recent offenders that were seen earlier in the same day (think e.g. a botnet attack) are off the hook... Case#2 makes little sense to me, but someone told me that that is how it works.