Just got one a short while ago. Look at these headers: Received: from p4248-ipbfp02matuyama.ehime.ocn.ne.jp [126.96.36.199] by mail.4cweb.com with ESMTP (SMTPD-8.22) id A0D001A0; Tue, 07 Aug 2007 12:41:52 -0400 Received: from [188.8.131.52] by p4248-ipbfp02matuyama.ehime.ocn.ne.jp with HTTP; Wed, 8 Aug 2007 01:42:17 +0900 Message-ID: <[EMAIL PROTECTED]> From: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Wire instructions-Moi Date: Wed, 8 Aug 2007 01:42:01 +0900 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_000C_01C7D95D.50E32D80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Note the "with HTTP;". This looks detectable to me, since it also has OE headers. Not sure if there is more to work with in the Message-ID and MIME boundaries. Darin. ----- Original Message ----- From: Scott Fisher To: Message Sniffer Community Sent: Tuesday, August 07, 2007 12:46 PM Subject: [sniffer] New campaign not caught Last night I started getting spam with numbers in the subject and a hex code in the body. This morning that switched over to stock spam PDFs. Hopefully rules can be targeted towards them! Scott Fisher Dir of IT Farm Progress Companies 191 S Gary Ave Carol Stream, IL 60188 Tel: 630-462-2323 This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Although Farm Progress Companies has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.