I've been getting occasional spam recently that follows a common pattern in the From: header. Below is the full header section of one of these emails, as an example: ---------------------------------------------------------------------- >From MAILER-DAEMON Tue Feb 1 10:20:50 2022 Return-Path: <> X-Original-To: c...@aaaaa.org Delivered-To: c...@aaaaa.org Received: from jybaudot.fr (unknown [109.237.96.99]) by miplet.aaaaa.org (Postfix) with ESMTP id 22D803FDB9 for <c...@aaaaa.org>; Tue, 1 Feb 2022 10:20:50 -0500 (EST) MIME-Version: 1.0 From: "WeTeachSex" <support_id:8234...@fmkssuvrxj.com> Subject: =>> The #1 secret to squirting <<== To: c...@aaaaa.org Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=UTF-8 Date: Tue, 01 Feb 2022 16:06:21 +0100 ----------------------------------------------------------------------
One feature they all share is that "support_id:" prefix in the fake email address. I thought it should be easy to find them all with ~fsupport_id ... but that consistently finds nothing, even when that message is right there in my inbox. I tried both l~f'support_id' and /~f'support_id' and in both cases it found nothing. Limit gave me a blank mailbox, and / search said "not found". (I also tried /~fMAILER in case it would match on the envelope sender line, but that did not find this message either) Anyone know what might be happening here? -- cos