1) Set up a mirror and register that you offer mirror services for XYZ networks or domains (This mirror will work for .gov.edu. and boxes from 10.1.0.0). The ability to say that you give preference to networks or domains helps get clients faster downloads but has its downside.
2) For most people have a real mirror that they can get packages from. For the specific subnet/domain have it log and see what is asked for. With a profile you can see how successful a trojan set will work.
3) Wait for A client to get to you eventually. The best bet would be to eventually wait for the guy who turned off various gpgcheck etc in their yum updates because they had a problem sometime in the past and who needs it.
4) Have your trojan app replace some config files and start slowly probing the network it is on to find out what it can spread. <EG Profit>