The site runs OpenBSD 4.1, Python 2.4, and has few valid mail addresses since almost all of them are mailing lists. I have put site scripts in /site/bin.
/etc/newsyslog.conf has a modified line:
/var/log/maillog 600 7 * 24 Z "/site/bin/post-maillog-rotate"so every time the mail logs are rotated, /site/bin/post-maillog-rotate is executed to extract invalid user names from /var/log/maillog.0. It keeps the list of all invalid users (domain stripped) in /var/db/spamtrap_users, and produces a list /var/db/spamtrap_patterns that is read by /site/bin/greyscanner. The file /etc/mail/spamtrap_protected is used as an exclusion list of usernames that may not be used as trap names. For a site with many valid user names the generation of this list will probably have to be automated.
The actual user name list to pattern list generation is done by /site/bin/users2patterns. It builds prefix and suffix trees of the names and then creates prefix and suffix patterns.
/site/bin/greyscanner is a modified version of Bob Beck's infamous greyscanner daemon, here is a diff from greyscanner.41 to /site/bin/greyscanner..
This document is hereby placed in the public domain