At 12:22 2006-11-20 -0500, S.A. Birl did say:
by concept.temple.edu with esmtp (Z*LPM=1R> 7P1(_at_)E)
By thoughts: has anyone written a filter, think it's worth filtering,
too many false-pos, potential problems, etc.
Why not write a rule and run it against your saved mail?
common forms I've seen include:
Received: from thought (69.44.117.991) by
rly2.fold.foolish.able.apparatus.home.ne.jp (InterMail vN.3.85.54.25
58-32-1-19-7-36614082) with ESMTP id
<98468682111(_dot_)YBZGM4066(_dot_)ymis131-mail(_dot_)chief(_dot_)bread(_dot_)net(_dot_)cable(_dot_)rogers(_dot_)com(_at_)loss>
for <deleted; Sun, 22 Oct 2006 17:08:48 -0600
(note where the receipient address was deleted by myself above, the CLOSING
BRACKET was actually missing in the original message...)
Received: from 67.72.99.391 (mta042.z2c.net) (67.72.99.391) by
rly77.mail.mistersporty.com with ESMTP; Sun, 15 Oct 2006 13:38:09 -0600
Received: from rly-yb04.mx.aol.com (rly-yb04.mail.aol.com
[172.18.205.136]) by air-yb03.mail.aol.com (v113.6) with ESMTP id
MAILINYB31-1964545150778; Sun, 29 Oct 2006 15:54:50 -0400
Received: from [127.0.0.1] (helo=localhost) by lists.lc-words.com with
esmtp
(those I've seen of this layout, esmtp appears as all lower or all upper,
though case-sensitivity would be a bad idea anyway).
Note that there's no _specification_ for what it must be formatted
as. Only the latter three of the above examples appear to occur on legit
mail - the first one was seen on prior flagged junk.
# 2006-Nov-20 esmtp should be a IP or hostname ... I think.
See above.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail