> Does anyone have a rule to chech the envelope To: against the header > to: ? I'm sure that there's a reason why it's allowed to be > different, but it doesn't apply here, and almost half of the > spam that gets thru everything else would get stopped by that.
[First I am new here and so may know NOTHING.] This makes sense to me for an incremental rule and is associated with something else that I am seeing in a lot of spam: Case: Display name is MADE up, and sent to a real email username. "Johny Sullivan" <[EMAIL PROTECTED]> I have NO idea why the spammers do this -- it wouldn't be that hard to at least make it "Brian Sullivan" and quite a few do in fact make it "BrianX" <[EMAIL PROTECTED]> which at least seems to make sense. Two questions have occurred to me: Would this actually helf find spam BETTER (since I see this in high score spam anyway) and how hard it would be to write the match but I have figure out at least an ugly way to do that.) It might require a plug-in to do in a general way (with file lookup on "user name"/email-account pairs, aliases, etc. Otherwise it would only be suitable for small email domains and a custom solution for each location (e.g, no general set of rules everyone could download.) And then, if there is no advantage to spammers or even reason for this practice -- they might just stop doing it. (But even that seems a small victory. <grin>) -- Herb Martin