Hi, I've noticed a trend in which spammers put in a bunch of X- header purporting to show that a message is good. I've appended sample headers (slightly obfuscated to hide recipient) below.
I wonder if a test for more than (say) 8 "X-*" header in an inbound mail would be a good spam indicator? Regards, David. ========================================================================= Received: from mail.com ([190.237.242.198]) by colo10.roaringpenguin.com with ESMTP id s93JmajB021470 for <redac...@example.com>; Fri, 3 Oct 2014 15:48:39 -0400 Return-Path: <americanexpr...@welcome.aexp.com> Delivered-To: <redac...@example.com> X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-19882-c X-CMAE-Scan-Result: 0 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-19849-c X-CMAE-Scan-Result: 0 X-Orig-To: <redac...@example.com> X-Originating-Ip: [209.67.98.59] Received: from SEFE63.seaprod.com (unknown [192.168.72.11]) by mailsea.docusign.net (Postfix) with ESMTP id KQAF5JDDV4IK for <redac...@example.com>; Fri, 3 Oct 2014 14:48:44 -0500 X-DKIM: Sendmail DKIM Filter v2.8.2 mailsea.docusign.net JQ9N42F3MTC8 Received: from docusign.net ([127.0.0.1]) by SEFE19.seaprod.com with Microsoft SMTPSVC(7.5.7601.17514); Fri, 3 Oct 2014 14:48:44 -0500 Sender: "American Express" <americanexpr...@welcome.aexp.com> Reply-To: "American Express" <americanexpr...@welcome.aexp.com> From: "American Express" <americanexpr...@welcome.aexp.com> To: <redac...@example.com> Message-ID: <2sui4otn561x0wm7252lx58t61e...@welcome.aexp.com> Date: Fri, 3 Oct 2014 14:48:44 -0500 Subject: Security Concern on Your American Express Account MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_FFTENOOC_L24J_U12E_AEA3_LA0JA0R78GGI" X-OriginalArrivalTime: Fri, 3 Oct 2014 14:48:44 -0500 FILETIME=[61006395:87205310]