Question... Assume that I handle subscribed mailing lists
at the beginning of my procmail mail filter. (Mailing lists
all seem to have their own rules for monkeying with headers)
Is there any other circumstance in which I should see email
being relayed to me via an intermediate site? If not, then
2 or more "Received from: " lines in the message headers
(excluding my own ISP, of course) is an excellent algorithm
for catching relayed spam.
Some spammers add forged headers in an attempt to hide their
tracks. As an extra bonus, the multi-Received: algorithm would
result in ordinary 1-hop spam being trapped because the forged
headers would make it look like a relay.
The only thing I'm vague on is how to do the counting. In my
case, my ISP is "interlog". I want to count lines that contain
"Received: from" but *NOT* "interlog." (Note; Interlog owns
*BOTH* interlog.com and interlog.net domains. One or both of
them may show up in email headers that I get). I assume that
the two conditions...
* ^Received:.from
* !interlog\.(com|net)
should combine to match the non-interlog "Received: from"
lines. How do I check for > 1 such line, to divert the message
to my OOPS file (which I clean out once every so often)??
--
Walter Dnes (Toronto)
<waltdnes(_at_)interlog(_dot_)com>