Re: How is this spam hiding from mutt search?
On Tue, Feb 01, 2022 at 10:16:51AM -0800, Kevin J. McCarthy wrote: > On Tue, Feb 01, 2022 at 10:36:29AM -0500, Ofer Inbar wrote: >> One feature they all share is that "support_id:" prefix in the fake >> email address. > > The ':' isn't allowed in the address local part, so I believe the mutt > parser is rejecting the email address. Because of that there is no > address stored in the "from" list internally. > > You may have to use something like ~h or =h to find the prefix. I'm going to write the terms "colon", "punctuation", "regex", and "regular expression" here, so that anyone searching the mailing list archives for help with this issue in future will more easily be able to find it. Sam -- A: When it messes up the order in which people normally read text. Q: When is top-posting a bad thing? () ASCII ribbon campaign. Please avoid HTML emails & proprietary /\ file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.
Re: How is this spam hiding from mutt search?
On Tue, Feb 01, 2022 at 10:16:51AM -0800, "Kevin J. McCarthy" wrote: > On Tue, Feb 01, 2022 at 10:36:29AM -0500, Ofer Inbar wrote: > >From: "WeTeachSex" > > >One feature they all share is that "support_id:" prefix in the fake > >email address. > > The ':' isn't allowed in the address local part, so I believe the > mutt parser is rejecting the email address. Because of that there > is no address stored in the "from" list internally. > > You may have to use something like ~h or =h to find the prefix. Thanks, that's probably it. And ~h works, though it's much slower. -- Cos
Re: How is this spam hiding from mutt search?
On Tue, Feb 01, 2022 at 10:36:29AM -0500, Ofer Inbar wrote: From: "WeTeachSex" One feature they all share is that "support_id:" prefix in the fake email address. The ':' isn't allowed in the address local part, so I believe the mutt parser is rejecting the email address. Because of that there is no address stored in the "from" list internally. You may have to use something like ~h or =h to find the prefix. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
How is this spam hiding from mutt search?
I've been getting occasional spam recently that follows a common pattern in the From: header. Below is the full header section of one of these emails, as an example: -- >From MAILER-DAEMON Tue Feb 1 10:20:50 2022 Return-Path: <> X-Original-To: c...@a.org Delivered-To: c...@a.org Received: from jybaudot.fr (unknown [109.237.96.99]) by miplet.a.org (Postfix) with ESMTP id 22D803FDB9 for ; Tue, 1 Feb 2022 10:20:50 -0500 (EST) MIME-Version: 1.0 From: "WeTeachSex" Subject: =>> The #1 secret to squirting <<== To: c...@a.org Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=UTF-8 Date: Tue, 01 Feb 2022 16:06:21 +0100 -- One feature they all share is that "support_id:" prefix in the fake email address. I thought it should be easy to find them all with ~fsupport_id ... but that consistently finds nothing, even when that message is right there in my inbox. I tried both l~f'support_id' and /~f'support_id' and in both cases it found nothing. Limit gave me a blank mailbox, and / search said "not found". (I also tried /~fMAILER in case it would match on the envelope sender line, but that did not find this message either) Anyone know what might be happening here? -- cos
