I'm trying to build a semi-effective spam barrier using Procmail (at least,
it should filter most of the known stuff, and subsequently avoid repeat
offenders).
I have a rule for submitting the "tag" or address portion to use to filter
on (say "cyberpromo.com"). Of course, the rest of the filter is still
currently hardcoded for each individual instance.
I'd like to be able to search several fields for this information:
FROM/TO often work for the basic lamer spam.
SENDER and REPLY-TO works for some others
COMMENT (specifically "Authenticated sender is") is often handy for
isolating those who forge the rest of the message, but isn't always present
- nor can it always be relied upon.
I was also considering searching through the received-by headers to locate
the offending domains (this of course only works for domain blockouts, such
as cyberpromo).
And finally, MESSAGEID is sometimes useful in isolating where they were
actually posting the message through (which would help determine which of
the above addresses to zero in on).
Can anybody offer suggestions on the best order to use for determining the
true "from" (possibly with the intent of sending a "REMOVE ME" message, but
primarily for the purpose of junking the message).
Thanks.