Another 2 cents. Kami, on your prompting I looked back 4 days and saw that we'd received 34 messages that were in the format [EMAIL PROTECTED]; most of those domain names were perfectly legitimate... and faked.
I found that each one of the messages had heavily triggered other tests and were all held. What's true today, though, isn't true tomorrow. I'm going to add in a new test as per Joshua's suggestion, but I wanted to point out a caveat to others, which is to NOT look for an asterisk somewhere in the MAILFROM field, just check for the left hand side; in the same 4 day period we had 313 messages that were mailing lists (mostly legitimate) where the MAILFROM is rather different from the from: in the header, e.g. [EMAIL PROTECTED] (where [EMAIL PROTECTED] was a valid subscriber to this mailing list) In short, don't get carried away while filtering for asterisks. Andrew 8) -----Original Message----- From: Joshua Levitsky [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 6:10 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] Legitimate email syntax? Sounds like something you could put in a filter file MAILFROM 10 STARTSWITH *@ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.