If I could only create this *one* rule...("Delivered-To:" line)

I think I know the answer (and it's 'no'), but I will ask just in case I'm overlooking something simple or a workaround:
I have built up a pretty effective set of rules to filter out spam in our company's catchall box based on several Conditions, one of the more effective being "Where the To or CC line contains... ". But there are still one or two hundred spam messages a day getting thru.

I could eliminate a lot of remaining spam if there was a rule Condition "Where the Delivered-To line contains..." available, but there is none*. Is there a workaround for this?


*Spammers create a list name that is the same as one of our valid e-mail addresses. The list name goes in the "To" line, and a bogus e-mail address goes in the "Delivered-To" line. Because the rules only are able to look at the To or Cc line, and not the Delivered-To line, the e-mail slips thru my filters but ends up cluttering up the catchall folder.

 

peva--I gather the setting "where the To or CC line contains people" does not help.
I must confess that I have never seen a "Delivered-To" line. So perhaps I should not offer comment, without experience.
I understand this occurs with incoming messages. And that the email address for the receiver on the Delivered to line is bogus. Is that address in your Address Book?
I wonder if any of these references offer help
http://www.security.nnov.ru/advisories/msoeab1.asp
http://www.opentechsupport.net/forums/archive/topic/7626-1.html
http://www.google.com/search?q=OE+"...r=&rls=GGLD,GGLD:2004-31,GGLD:en&start=0&sa=N

 

That is correct. The best I can determine, the messages get routed according to the "Delivered-To" line in the message's source code, but the "To" column in OE shows what's in the "To" line of the message (source code). So they get kicked into the catchall (according to the bogus "Delivered-To" line) but show up in OE with the legitimate e-mail address as the "To ". But the freakin' OE filters can't be made to look at the "Delivered-To" line.

It's easy - just pull up any message and look at its source code - near the top will be the "Delivered-To" line. In any normal message like you or I would send, it will have the same e-mail address as the "To" line (near the bottom of the source code). But these jokers are making them different (as I said, the best I can figure, by using some "list" capability in e-mailing).

No - the bogus address that shows up as "Delivered-To" is not in my address book.

I will take a look.

Thanks!

 

Jim -
I looked at the 3 links you posted. I had done a Google search on "Delivered-To:" prior to my original post. Unfortunately (in this case anyway), Google ignores any punctution in the search criteria, so anywhere the words "delivered to" appear in a normal sentence (within the bounds of any other search criteria such as the "OE" as you suggested in your search link) becomes a hit - and they are too numerous to be of any help. I went thru several pages of Google hits with nothing related to the "Delivered-To:" line of OE before giving up that method. I even tried to narrow down the hits by adding other down-selectors, like "source code ".

Looks like if you put something in quotes in a search engine's criteria, it ought to honor it literally (with or without respect for upper-lower case?), but that is another discussion, eh?

It doesn't appear that the other two links address this situation either.

Thanks again.

Post-script: I came up with the clever idea of putting "Delivered-To line" in the search cirteria - so that did eliminate a lot of worthless hits. Problem is, it looks like some a-hole (intentionally?) loaded up the internet with the phrase "This message is looping: it already has my Delivered-To line..." all over the place, so it makes the search worthless.

 

Here's the result of one Google hit: http://groups.yahoo.com/group/djb-qmail/message/117754?threaded=1&var=1

There's some interesting discussion and speculation in there on the reason the "Delivered-To" line is used (by spammers) - DoS attacks by bouncing messages seems the most plausible. Still doesn't solve the problem, but gives some insight into it.

 

peva--I am sorry I could not help. That link you provided is interesting.
I still do not see any "Delivered To" line in the messages I get. Probably just as well.
I presume by "source" you mean what is seen from right clicking on the message line in the Inbox|Properties|Details|Message Source. Here is a typical message that I receive (HEADER only with some ID changes)

"Received: from imo-m27.mx.aol.com ([12.34.56.7])
by xxx.comcast.net (sccrmxc) with ESMTP
id <abcd etc>; Wed, 28 Jun 2006 19:00:04 +0000
X-Originating-IP: [12.34.56.7]
Received: from XXX@aol.com
by imo-m27.mx.aol.com (mail_out_v38_r7.5.) id i.52b.1b171c9 (41811)
for <me@comcast.net>; Wed, 28 Jun 2006 14:59:49 -0400 (EDT)
From: XXX@aol.com
Message-ID: <52b.1b171c9.31d42ba0@aol.com>

Date: Wed, 28 Jun 2006 14:59:44 EDT
Subject: Re: summer vacation
To: me@comcast.net
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary= "part1_52b.1b171c9.31d42ba0_boundary "
X-Mailer: 7.0 for Windows sub 10705
X-Spam-Flag: NO "

 

No prblem, Jim.

I found another discussion** which talked about the "Delivered-To:" line being added if it passes thru a Qmail server - which my e-mail does. That may be the difference.

**Let's see - going into my history...here it is: http://ftp.greatcircle.com/lists/majordomo-users/mhonarc/majordomo-users.200009/msg00223.html

 

peva--Thanks for the education. This thread is the first I had heard of qmail.