There are various ways to detect fake hosts or better host IPs that either temporarily or permanently distribute fake content.
One of the most easiest is to search for random character sequences that just don't form a valid word. Other ways are to check against bitzi if the file hashes are known to be fakes. Also it is suspicious if you get various results from host all coming from the same class C subnet, or with IPs very close together. Also if you like to dig deeper into the Gnutella protocol you could look for certain message package characteristics that give you hints about fake content.
Gregor
__________________ |