I'm noticing a lot of "Unrouteable address" lines in my exim4 rejectlog these days, and I just had a thought: wouldn't this be an excellent way to detect spammers? I did some googling but couldn't find anything quite like I'm thinking. The basic idea is simple: 1) Keep a list of IP's and how many attempts to send to an invalid address they've made. IP's who have made more than N attempts are most likely spammers. But we can get more advanced than that. 2) Also keep a list of how many emails each IP has sent to valid addresses. ip's with a high ratio of invalid/valid attempts are likely spammers. 3) Keep a list of the usernames they're blindly sending to. After a while you can derive the actual list the spammers are using. You can then give IP's a weighted score based on the usernames sent to. Though you'd definitely need to keep track of deleted/changed usernames and mail aliases on your domain and whitelist them, you don't want a deleted email address that was getting a lot of legit email to throw things off. This should work very well on small domains with only one or two addresses in use (like mine), may still work okay on a small company or ISP's domain, probably won't work at all on a large busy domain. Make a DNS blacklist out of this, and you've got yourself another metric for automated detection of spammer IP's. Completely passive, undetectable, get enough small sites submitting to the database and the spammer's only defense is to stop rumpelstiltskinning, at least unless they know its a big domain... Time for some perl and SQL... _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list