A system continually monitors service requests and detects service abuses. First, a screening list is created to identify potential abuse events. A screening list includes event IDs and associated count values. A pointer cyclically selects entries in the table, advancing as events are received. An incoming event ID is compared with the event IDs in the table. If the incoming event ID matches an event ID in the screening list, the associated count is incremented. Otherwise, the count of a selected table entry is decremented. If the count value of the selected entry falls to zero, it is replaced with the incoming event. Event IDs can be based on properties of service users, such as user identifications, or of service request contents, such as a search term or message content. The screening list is analyzed to determine whether actual abuse is occurring.