One of the users (actually the boss) had the email address harvested and we got clobbered by backscatter. Looking at the emails of the various 'unable to deliver' type messages, I saw what these could be filtered on, but don't know how to write up and implement the rule outside of procmail. I don't want to use procmail for this since it I think it would be an expensive routine for procmail to run.
In the body of the 'unable to deliver' message, the original message is quoted. One of the lines quoted is the Message-ID: header from the original. The format of this line is always wrong as it does not contain the FQDN that our server appends to the end of the hash number , following the '@' symbol . So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not header, and look for the @FQDN Is this rule already out in the wild? -p