Peter, I think that focussing just on spam is misleading. Although it is currently the most profitable use of botnets, other uses are already demonstrated, such as DDoS, distributed password/encryption cracking, phishing - which could work without spam in several scenarios (e.g. changing HOSTS on the local PC, hacking DNS servers, etc..) - and most of these would tend to give spammers a way to make money without spam. So it is important to find out what they are doing and how many there are. Frank, I applaud your system. By your fast response you even get rid of the problem with static vs. dynamic IP addresses. As long as the major business for botnets is spam, this will continue to work. Of course if only a small set of providers use it, spammers will simply stop using your mailserver to send spam, once it begins to hurt them. Yes, it is relatively trivial to get the IP from the full mail headers (although it is safer to check the IP during the SMTP conversation - I once did a test and there was a difference of about 1% where IP addresses did not match) I even once wrote a system in 2004 to analyze each mail, check whois, find out the abuse email address and send an automatically generated abuse report there... used it for a few months, but as there was absolutely no reponse (well, some email providers complained that they cannot control what their users do...) I stopped it. Our system could be used in a similar way, but tracks even inactive bots which are currently not used to send out spam. Of course they need to generate some other traffic, the nature of which is currently not well understood. Best, Alex -- Dr. Alexander K. Seewald Seewald Solutions www.seewald.at Tel. +43(664)1106886 Fax. +43(1)2533033/2764