End users are often unaware that their systems have been
compromised and are being used to relay bulk unsolicited email (spam).
However, automated processing of the email logs recorded on the
"smarthost" provided by an ISP for their customer's outgoing email can
be used to detect this activity. These logs do not contain any of the
content of the email, or even the subject lines. However, the
variability and obfuscation of sender and receiver that is used by
spammers to avoid detection at the destination creates distinctive
patterns at the source that permits legitimate email traffic to be
distinguished from spam. Some relatively simple heuristics result in
the detection of low numbers of "false positives" despite tuning to
ensure few "false negatives".