On Mon, 2009-02-23 at 17:55 -0500, Gene Heskett wrote: > Anybody got an idea how the spammers have managed that? > Sorry, I can't help with the invisible stuff, but I do know a little about the other part of your question:
> And better yet, how to defend against it as I'd like to /dev/null any message > with an unlisted header. > 'Undisclosed recipients:' and its variants: These are created by a lot of current MUAs and some MTAs (Microsoft Exchange V6.5 amongst others). I've usually seen this in mass mailings to members of organisations that use blind copy addressing to hide members' addresses from other recipients. It often appears as the only address term for a Bcc: header. The string "Undisclosed recipients:" is actually a legal group address name. It would appear that some MTAs deal with Bcc group addresses by generating a mail message for each address in the group with the group address name left in the To:, CC: or BCC: header and the actual address put in the envelope header. As just two or three spelling variants exist, I'd also speculate that some MTAs treat this group address name as 'special', i.e. it, rather than a control flag, determines whether blind copies are sent. Some of these MTAs are fed from MUAs or bulk mailers that accept ';' as a list separator in place of the more usual comma: this causes some parsers some grief which result in them including the semicolon as part of the address rather than stripping it off. In the last year I haven't seen any mail with "Unlisted recipients", just variations on "Undisclosed recipients". I have seen some occurrences in spam but by far the majority has been in messages sent to members of reasonably large (150+) groups that I belong to. IMO the appearance of "Undisclosed recipients:" in a list of addresses should not be taken as an indication of spam, but as always ymmv. The following Java snippet seems to reliably catch all variations on the theme: String temp = address.replaceAll("[\\.\\-:;]", " "); temp = temp.trim(); temp = temp.toLowerCase(); boolean undisclosed = (temp.compareTo("undisclosed recipients") == 0); In other words, within the address string: a) replace each occurrence of '.' (full stop), '-' (hyphen), ':' (colon) and ';' (semicolon) with a single space b) remove all leading and trailing spaces c) convert the string to lower case d) set 'undisclosed' TRUE if the resulting string is "undisclosed recipients" > Thank you for any insight offered. > HTH Martin