1 The arrival of any piece of unsolicited and unwanted email (spam) into a user's email inbox is a problem. It results in real costs to organisations and possibly an increasing reluctance to use email by some users. Currently most spam prevention techniques rely on methods that examine the whole email message at the mail server. This paper describes research that aims to deny spam entry into the internal network in the first place. Examination of live amalgamated audit logs from a Linux kernel firewall, the PortSentry intrusion detection system and the Sendmail mail transfer agents has shown that it is possible that automated mailing programs send characteristic probes to the network gateway just before launching an avalanche of mail. Similarly it seems possible to detect precursor activity from some potential zombie machines. A real time system that could detect such activity needs to be certain that a particular IP address is about to send spam before blocking all of its packets...