Re: Interesting spam pattern

Found another interesting pattern, Received header that are all on
one line. Normally a Received: header spans two lines, at least on
*all* the mail I get.

This filter locates the single line Received: headers and traps on
that:

:0:
*Received:\/( ?[^       ])*$
mail/Spam


No guarantees here.  I just tried it out on some test mailboxes (all known to 
have valid mail), and it matched like mad.  Here's a Received: header that
matched the pattern falsely:

   Received: from maelstrom.stjohns.edu by maelstrom.stjohns.edu (LSMTP for 
OpenVMS v1.1a) with SMTP id 
<9(_dot_)B568F177(_at_)maelstrom(_dot_)stjohns(_dot_)edu>; Wed, 15 Apr 1998 
21:41:27 -1300

As far as I can tell, there's no requirement in RFC 822 for multiple lines
in a Received: header.

Chris

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Interesting spam pattern, Chris Osborn Re: Interesting spam pattern, Christopher Lindsey <= Re: Interesting spam pattern, Chris Osborn Re: (procmail) Re: Interesting spam pattern, Reto Lichtensteiger Re: Interesting spam pattern, Brad Knowles Re: Interesting spam pattern, Matt Armstrong

Previous by Date:	Re: Sendmail, Procmail, and Majordomo, Brad Knowles
Next by Date:	Re: Interesting spam pattern, Chris Osborn
Previous by Thread:	Re: Interesting spam pattern, Chris Osborn
Next by Thread:	Re: Interesting spam pattern, Chris Osborn
Indexes:	[Date] [Thread] [Top] [All Lists]