Hi,
I've noticed a trend in which spammers put in a bunch of X- header
purporting to show that a message is good. I've appended sample
headers (slightly obfuscated to hide recipient) below.
I wonder if a test for more than (say) 8 "X-*" header in
an inbound mail would be a good spam indicator?
Regards,
David.
=========================================================================
Received: from mail.com ([190.237.242.198])
by colo10.roaringpenguin.com with ESMTP id s93JmajB021470
for <redac...@example.com>; Fri, 3 Oct 2014 15:48:39 -0400
Return-Path: <americanexpr...@welcome.aexp.com>
Delivered-To: <redac...@example.com>
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-19882-c
X-CMAE-Scan-Result: 0
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-19849-c
X-CMAE-Scan-Result: 0
X-Orig-To: <redac...@example.com>
X-Originating-Ip: [209.67.98.59]
Received: from SEFE63.seaprod.com (unknown [192.168.72.11])
by mailsea.docusign.net (Postfix) with ESMTP id KQAF5JDDV4IK
for <redac...@example.com>; Fri, 3 Oct 2014 14:48:44 -0500
X-DKIM: Sendmail DKIM Filter v2.8.2 mailsea.docusign.net JQ9N42F3MTC8
Received: from docusign.net ([127.0.0.1]) by SEFE19.seaprod.com with Microsoft
SMTPSVC(7.5.7601.17514);
Fri, 3 Oct 2014 14:48:44 -0500
Sender: "American Express" <americanexpr...@welcome.aexp.com>
Reply-To: "American Express" <americanexpr...@welcome.aexp.com>
From: "American Express" <americanexpr...@welcome.aexp.com>
To: <redac...@example.com>
Message-ID: <2sui4otn561x0wm7252lx58t61e...@welcome.aexp.com>
Date: Fri, 3 Oct 2014 14:48:44 -0500
Subject: Security Concern on Your American Express Account
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_FFTENOOC_L24J_U12E_AEA3_LA0JA0R78GGI"
X-OriginalArrivalTime: Fri, 3 Oct 2014 14:48:44 -0500
FILETIME=[61006395:87205310]
