The one obvious thing I see in all these fake bounce messages (which don't
all appear to be fake, just that they are bouncing to the wrong place - you)
is in the original header:
Received: from nickgilbert.com (unknown [211.211.169.224])
The ip address is different on every one of these. I assume that none of
them match the ip for your host, but for some reason I can't seem to find an
ip for your host, so I'm not sure.
So you can probably do something like (off the top of my head)
rawbody FAKE_FROM /^Received\: from nickgilbert.com
\([^\[]{0,30}\[(?!nnn.nnn.nnn.nnn)\]\)/
Substitute your real ip for the nnn's above.
Loren
