The site runs OpenBSD 4.1, Python 2.4, and has few valid mail addresses since almost all of them are mailing lists. I have put site scripts in /site/bin.
/etc/newsyslog.conf has a modified line:
/var/log/maillog 600 7 * 24 Z "/site/bin/post-maillog-rotate"
so every time the mail logs are rotated,
/site/bin/post-maillog-rotate
is executed to extract invalid user names from /var/log/maillog.0.
It keeps the list of all invalid users (domain stripped) in
/var/db/spamtrap_users, and produces a list
/var/db/spamtrap_patterns that is read by
/site/bin/greyscanner. The file
/etc/mail/spamtrap_protected is used as an exclusion
list of usernames that may not be used as trap names. For a site with
many valid user names the generation of this list will probably
have to be automated.
The actual user name list to pattern list generation is done by /site/bin/users2patterns. It builds prefix and suffix trees of the names and then creates prefix and suffix patterns.
/site/bin/greyscanner is a modified version of Bob Beck's infamous greyscanner daemon, here is a diff from greyscanner.41 to /site/bin/greyscanner..
This document is hereby placed in the public domain