Walter Dnes wants to mark as suspected spam any incoming mail not from
subscribed lists that has two or more Received: lines that do not name his
domain, which is known as both interlog.net and interlog.com.
| * ^Received:.from
| * !interlog\.(com|net)
That will catch no mail at all. Everything addresed to you, Walter, names
interlog.com or interlog.net somewhere in the head, namely the topmost
Received: line (and if it isn't a blind carbon, also To: or Cc:).
Try something like this:
:0
* 1^1 ^Received:
* -1^1 ^Received:(.*\>)?interlog\.(com|net)
* -1^0
routine_for_too_many_received_lines
Explanation:
Score 1 for every Received: header; then subtract 1 for every Received:
header that names interlog. At this point the score is the number of
Received: headers that do not name interlog. If there is only one, that
is acceptable, so adjust the total so that only differences of two or
greater will still have positive scores at the end of the recipe.
Some legitimate mail does career around inside its own domain before getting
out, and some needs an extra hop to get to the smarthost, so you might want
to forgive more than one extra Received: line and change the weight of the
last condition to -2 or -3.