[Mimedefang] Filtering based on X-Mailer or X-MIMEOLE header?

[Paul Murphy]

Mark Damrose wrote:

> I've found that most of the stock spam have a unique Received
header.
> Two rules that have been doing extremely well for me are:

> header ECC_FORGED_ELGIN_RCVD Received =~ /by elgin.edu with esmtp
> \(.+\)\s+id\s\S+\s+for/

> header ECC_ODD_TZ Date =~
>
/^\s*(?:Sun|Mon|Tue|Wed|Thu|Fri|Sat)\,\s\d{1,2}\s(?:Jan|Feb|Mar|Apr|Jun|
>
Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}(?:\:\d{2}){1,2}\s[\+\-]?\d{2}[123
> 456789]\d$/

Well spotted!  That's very useful for me, and certainly almost all of
my recent examples match on this.

Interestingly, they also predominantly have "The Bat!" as the X-Mailer,
although the version details are variable.  Maybe 25% have a version of
Outlook instead.

Paul.

-- 

-------------------------------------------------------
Paul Murphy
Head of I.T.
Argenta Discovery
Tel. 01279 645 554
Fax. 01279 645 646