Another suggestion: Why not set up a spamtrap system. With an /etc/alias pipe to some perl with a regex to catch your domain and a lookup to (this is the critical bit) your billing db/radius/whatever to see who is assigned the address at the time, you could block that user in realtime (or next re authentication time). I would also keep the email content in a db for evidence purposes, ie so you can present the customer with the spam that was relayed through their zombie. If having this entirely automated is too scary then put it into a db and have a human look at it. When presented with the facts that customerA, who was using this ip at the time, sent this spam to our spamtrap address and has done so 15 times this week it should be a clear cut decision. Well over 50% of spam these days is going through zombies produced by viruses like mimail rather than open relays or proxys. The majority of affected machines reside in large foreign ISP's dsl/cable/dynamic/pool address blocks. If the ISP's in charge of ranges like: dsl.chcgil.ameritech.net dynamic.hinet.net dsl.lsan03.pacbell.net dip.t-dialin.net dsl.emhril.ameritech.net dsl.telesp.net.br phil.east.verizon.net user.veloxzone.com.br client.comcast.net ap.plala.or.jp would do this it would cut our incoming spam by > 50% of course you can do the same with access.db/host_reject_recipients et al. on your side. Regards -- Donovan Jones Network Engineer Comnet Networks +64-4-569 0060 http://www.comnet.co.nz