This won't catch a lot, but it could give you IPs or Class C's to block. I noted some stuff getting through to me where a header was:
x: ZRlJFRUtJVEBCUkVOREFTQ1JJVkVORVIuQ09NZ ....probably some kind of spam tracking code. and FROM: was illegal stuff (carat is illegal in sender field): from=<[EMAIL PROTECTED]> in header_checks.regep: /(^x: .*)/ DISCARD x: header = "$1" the $1 write the expression to the log line. If you want to test, replace DISCARD with WARN or HOLD Here's a command to report hits by PTR[ip] sorted by IP: egrep -i "discard:.*x: header" /var/log/maillog | cut -d ";" -f 1 | awk '{print $NF}' | sort -fn | uniq -ic | sort -t[ -k2 1 flail03.intentwishes.com[205.150.40.18] 1 flail04.intentwishes.com[205.150.40.19] 1 flail05.intentwishes.com[205.150.40.20] 1 flail06.intentwishes.com[205.150.40.21] 3 flail07.intentwishes.com[205.150.40.22] 3 flail08.intentwishes.com[205.150.40.23] 1 flail09.intentwishes.com[205.150.40.24] 1 alpha02.fimaan.com[207.139.124.131] 6 great06.awareintentions.com[208.76.108.71] 10 great07.awareintentions.com[208.76.108.72] 16 great08.awareintentions.com[208.76.108.73] 14 great09.awareintentions.com[208.76.108.74] 13 great10.awareintentions.com[208.76.108.75] 2 allotmentmead.com[208.77.224.176] 2 additionafield.com[208.77.224.179] 1 liablecleanup.com[208.77.224.181] 1 undersilvery.com[208.77.224.182] 2 flare1.loyalelites.com[209.205.34.132] 1 flare2.loyalelites.com[209.205.34.133] 1 flail12.intentwishes.com[216.94.105.138] 2 flail15.intentwishes.com[216.94.105.141] 1 unknown[216.94.105.6] 2 colorful50.newlyfoundsight.com[216.94.187.77] 2 colorful49.newlyfoundsight.com[216.94.187.78] 3 colorful48.newlyfoundsight.com[216.94.187.79] 1 colorful47.newlyfoundsight.com[216.94.187.80] 3 colorful46.newlyfoundsight.com[216.94.187.81] 1 unknown[216.94.241.131] 2 general38.treasuredidea.com[216.94.244.81] 2 general35.treasuredidea.com[216.94.244.84] 1 general34.treasuredidea.com[216.94.244.85] 1 general33.treasuredidea.com[216.94.244.86] 1 general32.treasuredidea.com[216.94.244.87] 1 general29.treasuredidea.com[216.94.244.90] 1 general28.treasuredidea.com[216.94.244.91] 1 general25.treasuredidea.com[216.94.244.94] 1 general24.treasuredidea.com[216.94.244.95] 1 general23.treasuredidea.com[216.94.244.96] 1 general22.treasuredidea.com[216.94.244.97] 2 general20.treasuredidea.com[216.94.244.99] The domain names look all like junk/senseless domain names used by spammers. Len