I’m getting the following Spam. http://www.redfish-solutions.com/misc/bluechew.eml
And this is notable for having: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><style> GUID1 GUID2 GUID3 GUID4 … </style> so it should be easy enough to detect. A GUID looks like: [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{3}-[0-9a-f]{3}-[0-9a-f]{12} The 2nd type of Spam I’m seeing looks like: http://www.redfish-solutions.com/misc/received-spf.eml which contains: Received: from mta.amapspa.it ([127.0.0.1]) by localhost (mta.amapspa.it [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id U5M-E2lVwWem; Sat, 2 Nov 2019 00:19:36 +0100 (CET) Received-SPF: none (amapspa.it: No applicable sender policy available) receiver=mta.amapspa.it; identity=mailfrom; envelope-from="dario.scarpu...@amapspa.it"; helo="[91.134.159.128]"; client-ip=91.134.159.128 Received-SPF: none (amapspa.it: No applicable sender policy available) receiver=mta.amapspa.it; identity=mailfrom; envelope-from="dario.scarpu...@amapspa.it"; helo="[91.134.159.128]"; client-ip=91.134.159.128 Received-SPF: none (amapspa.it: No applicable sender policy available) receiver=mta.amapspa.it; identity=mailfrom; envelope-from="dario.scarpu...@amapspa.it"; helo="[91.134.159.128]"; client-ip=91.134.159.128 … with that line being repeated some 40 times, each line being identical. I tried a rule like: header __L_RECEIVED_SPF exists:Received-SPF tflags __L_RECEIVED_SPF multiple maxhits=20 meta L_RECEIVED_SPF (__L_RECEIVED_SPF >= 10) describe L_RECEIVED_SPF Crazy numbers of Received-SFP headers score L_RECEIVED_SPF 20.0 but it never seems to match. I’ve not tried to debug this, but it seems that duplicated headers might not be saved as a list into the headers? (Is there an easy way to see what exists:Received-SPF is evaluating as?) If that’s the case, it would seem to be a shortcoming. Can anyone confirm that’s indeed what’s happening? Thanks, -Philip