John Conover <john(_at_)johncon(_dot_)johncon(_dot_)com> writes:
...
How about ...
#
# If there is no "^To:" record in the message, then the message is,
# almost certainly, junk mail.
#
:0:
* !^To:.*
junk
Why people insist on putting ".*" at the end of regular expression I'll
never understand, especially when they do nothing but slow things down.
since the "^Apparently-To:" header record is inserted by sendmail in the
absense of a "To:" header.
Not quite. An Apparently-To: header is inserted iff there are no
recipient headers at all, including To:, Cc:, Bcc:, and the Resent-
forms of all three of those. Furthermore, as of sendmail 8.7, the
default is to not insert an Apparently-To: header, but rather to leave
the message bare of recipient headers, though this is configurable via
the "NoRecipientAction" option.
Anyway, the point is that you should at least check for "Resent-To:" as
well as "To:", and should probably also check for "Cc:" and
"Resent-Cc:":
:0:
* ! ^(Resent-)?(To|Cc):
junk
Though I will note that most of the spam I've seen 'recently' (past
several months) seem to simply have a bogus To: header, something
like:
To: many-recipients: ;
I.e., an empty group declaration. Checking for *that* won't work
however, as one of the options for "NoRecipientAction" (from above)
is to add a To: header of:
To: undisclosed-recipients: ;
There is no technical solution.
Philip Guenther