[EMAIL PROTECTED] wrote: > But some mails which should be caught by nested_header_checks or > mime_header_checks can't help but go through my filter for some reason. > And I don't know why.. > > However, I found a difference between mails which my filter could catch and > mails which my filter couldn't. > > It is the difference whether attached mail has body or not(header only). > > This is nested_header_checks' feature, right? > > When I use body_checks, there is no probrem. > But it might cause unintended matching.
For nested headers to be recognized as such, they must be at the beginning of an inline message attachment section. For mime headers to be recognized as such, they must be at the beginning of a mime attachment section. Anything else is just body text, even if it looks like a header. Standard bounces come with the original headers as an attached message; they can be examined by nested_header_checks. Some bounces arrive with the original headers included in body text; they must be examined by body_checks. While including your anti-backscatter rules in body_checks does increase the risk of false positives, IMO the increased risk is very slight, and outweighed by the benefit of detecting non-standard bounces. -- Noel Jones
