>>The idea, still very rough, is to detect for $today, a "large" numbers of
Why couldn't you look for more than 25 tcp connections from an IP. Run the report for a week or longer so you can determine legitimate mail from lists. Then you would whitelist those IPs and once that is setup block any IP that makes more than 25 connections. Andrew P. Kaplan www.cshore.com Get the fastest DSL in Connecticut. $39.95 a month NO CONTRACTS TO SIGN http://www.cshore.com/services/dsl.cfm
