In one embodiment, a method comprises computer-implemented steps of receiving a plurality of electronic mail messages containing sender address information that is non-trusted. For each electronic mail message, information about the message is stored, and one or more receiving node identifiers in association with respective connected node identifiers is created, wherein the receiving node identifier identifies receiving mail server that received the particular message and the connected node identifier identifies a connected mail server that directly connected to the receiving node identifier to send the particular message directly to the receiving mail server. For each electronic mail message a receiving node identifier that has a largest number of connected node identifiers associated therewith is selected, and a connected node identifier that is associated with the one particular receiving node identifier that sent the particular message to the associated receiving node is selected and stored.