On Mon, 2009-02-23 at 17:55 -0500, Gene Heskett wrote:
> Anybody got an idea how the spammers have managed that?
>
Sorry, I can't help with the invisible stuff, but I do know a little
about the other part of your question:
> And better yet, how to defend against it as I'd like to /dev/null any message
> with an unlisted header.
>
'Undisclosed recipients:' and its variants:
These are created by a lot of current MUAs and some MTAs (Microsoft
Exchange V6.5 amongst others). I've usually seen this in mass mailings
to members of organisations that use blind copy addressing to hide
members' addresses from other recipients. It often appears as the only
address term for a Bcc: header. The string "Undisclosed recipients:" is
actually a legal group address name. It would appear that some MTAs deal
with Bcc group addresses by generating a mail message for each address
in the group with the group address name left in the To:, CC: or BCC:
header and the actual address put in the envelope header. As just two or
three spelling variants exist, I'd also speculate that some MTAs treat
this group address name as 'special', i.e. it, rather than a control
flag, determines whether blind copies are sent. Some of these MTAs are
fed from MUAs or bulk mailers that accept ';' as a list separator in
place of the more usual comma: this causes some parsers some grief which
result in them including the semicolon as part of the address rather
than stripping it off.
In the last year I haven't seen any mail with "Unlisted recipients",
just variations on "Undisclosed recipients". I have seen some
occurrences in spam but by far the majority has been in messages sent to
members of reasonably large (150+) groups that I belong to.
IMO the appearance of "Undisclosed recipients:" in a list of addresses
should not be taken as an indication of spam, but as always ymmv.
The following Java snippet seems to reliably catch all variations on the
theme:
String temp = address.replaceAll("[\\.\\-:;]", " ");
temp = temp.trim();
temp = temp.toLowerCase();
boolean undisclosed = (temp.compareTo("undisclosed recipients") == 0);
In other words, within the address string:
a) replace each occurrence of '.' (full stop), '-' (hyphen), ':' (colon)
and ';' (semicolon) with a single space
b) remove all leading and trailing spaces
c) convert the string to lower case
d) set 'undisclosed' TRUE if the resulting string is
"undisclosed recipients"
> Thank you for any insight offered.
>
HTH
Martin
