http://theregister.co.uk/content/6/28544.html
These should work for POSIX and PCRE (assuming Register has the text exactly right) /Subject:.*Protect Your Computer Against Viruses for/ REJECT ACL header_checks_bmtt /Subject:.*Verification Department/ REJECT ACL header_checks_bmtt /Subject:.*Get a FREE quote on any mortgage loan/ REJECT ACL header_checks_bmtt /Subject:.*Printer Cartridges \- Save up to/ REJECT ACL header_checks_bmtt /Subject:.*Free Shipping Offer/ REJECT ACL header_checks_bmtt /Subject:.*Miniature Remote Control Car/ REJECT ACL header_checks_bmtt /Subject:.*100 F R E E\, Please Play Now/ REJECT ACL header_checks_bmtt /Subject:.*Online Auction Marketing Secrets/ REJECT ACL header_checks_bmtt /Subject:.*Important news Kuira/ REJECT ACL header_checks_bmtt /Subject:.*URGENT \& CONFIDENTIAL/ REJECT ACL header_checks_bmtt /Subject:.*GET A FREE PASS TO THOUSANDS OF XXX SITES/ REJECT ACL header_checks_bmtt As always, the payoff is to harvest the reject log lines for sending PTR's and ip's. btw, here's a mta_clients_bw.map that can't miss: abo.wanadoo.fr 554 ACL mta_clients_bw where abo = abonnee = subscriber of France Telecom's Wanadoo ISP. I see 1000's of rejects from that domain every day at on USA isp's. Len
