> So my question is can we have rulesets in spamassassin that can compare > the sending host domain with the latter part of @ of content id or look > for @ in the content id.
Hi, honestly the fact that outlook uses different strings and this spam uses similar strings for the boundary and the content id could be seen as a coincidence. I am using a few perl and php scripts for mail with attachments that more resemble the spam than the outlook case - and I dont think there are any recommendations in the RFC about how to create content id Wolfgang Hamann