barnabythe first idea could potentially be expanded to automatically detecting phishing attempts from client_ids using, say, punycode or subdomains for imitation. look through all known client_ids and see if the new client_id looks like it’s trying to imitate one
