Has anyone else noticed that if they get a message with:
Received: from [41.184.9.153] by web80007.mail.sp1.yahoo.com via HTTP; Sat, 06 Nov 2010 09:52:53 PDT i.e. from the 41.0.0.0/8 CIDR block from Africa, and the transport was HTTP, to anything ending with yahoo.com that 100% of the time it's SPAM? I see that Plugin/HeaderEval.pm contains: if ($rcvd =~ /by web\S+\.mail\S*\.yahoo\.com via HTTP/) { return 0; } which is part of it. And Message/Metadata/Received.pm contains: # Received: from [193.220.176.134] by web40310.mail.yahoo.com via HTTP; # Wed, 12 Feb 2003 14:22:21 PST if (/ via HTTP$/&&/^\[(${IP_ADDRESS})\] by (\S+) via HTTP$/) { $ip = $1; $by = $2; goto enough; } (I note that HTTP$ seldom matches, by the way, since all of my examples have "via HTTP;<date>" instead.) Is it worth having an explicit rule for this? Thanks, -Philip