RE: Interesting new spam technique - getting a lot more popular.

Has anyone considered using sFlow to detect this type of bad behavior? Many
layer 2 switches vendors mentioned in the discussion support sFlow (see for a list).

sFlow operates at layer 2 (think of it as a kind of remote sampled mirror
port capability that lets you capture the first 128 bytes of Ethernet frames
from every l2/l3 switch port in the data center). Information that you could
get from sFlow that is relevant to the discussion include: ingress switch
port, source and destination mac addresses, vlans, ip addresses, ARP targets
and senders, layer 4 protocol and ports.