Before anyone flames me I asked the moderators if this would be appropriate to post. The answer was "Sure". For several months we have experienced massive amounts of persistent smtp connections from a forged from address from various dialup accounts around the USA. With the help from one of these ISP's it was found to be a program that preports to scan various search engines, like four11, based upon a user supplied search criteria and generates a mail list. When a user would run this program is when we would see the smtp connections. Yet the user was unaware of this. In conversation with this user they were not aware of anything other than polling of these search engines and the generation of a mail list. I obtained a copy of the program and looked at the code. It has hundreds of domain names as well as the forged from address. A phone call to the distributor as well as the company that produces this program, they all say "all it does is query several search engines like four11". When I confronted them about the hundreds of domain names in their code and the forged from address they claimed ignorance. In conclusion, I have not run the program personaly and the above are my observations from looking at the code. For those of you who are interested in this fee free to email me and I will supply you with the url and program name. A hint to see if you or your users or your systems have been the victim of this program is a from address of savings.com in your sendmail logs.