In article <200804e2dd8b4f.Dave@xxxxxxxxxxxxxxxxx>, Dave Barnett <as10@xxxxxxxxxxxxxxxxx> wrote: > Many spams have a fake 'To:' and/or 'Envelope-To:' header of the form > [string] at mydomain. I have put some that have been repeated > frequently in a 'DeleteTo' list. These seem to have been passed from > one bot to another or to have been harvested from inboxes of infected > muppets. It is also apparent that they are being used as the 'From:' > by the bots as I am receiving bounce messages. > It is easy to add new 'From:' addresses to the 'DeleteFrom' list > using the marking box, but I would like an easy way to add fake 'To:'s > to a list as they are displayed for marking. You might think that's useful, but I wonder... I've seen hundreds of different combinations with my domains. Keeping up with them would be an absolute pain. So I decided on the opposite approach. I've created a 'positive list' called 'Alias' in which I've listed all combinations I use. This is referenced in my rules file as: Delete Recipient !... Alias This means any message to a name that *isn't* in the Alias file will be deleted. There are a couple of things to watch out for if you use this: - You can't use it with just the To: header or you might lose valid mail to mailing lists. - AntiSpam's Recipient keyword can be tricky. There's more code behind it than a simple comparison. The program will try to find the *real* (SMTP) recipient of a message by looking at several headers. Many providers don't add an Envelope-To: header with recipient info from the SMTP envelope. So if there isn't any, AntiSpam starts by looking at the Received: headers. However, some providers add extra Received: headers at the top with apparently nonsensical 'for' fields [1]. You need to mask these out (the Ignore Receiver setting in the Mailbox.Misc frame of the Choices window). - You'll probably have to put a couple of Accept rules before the Delete Recipient rule to catch certain badly addressed messages. I started to use this rule with Defer instead of Delete, until I was sure I had caught all the exceptions. Currently this rule, together with the Weight one, is responsible for about 95% of my spam deletions. It does take some organising. Like others I use different addresses for different people/businesses. Adding each and every one to the Alias file would have been just as much a chore as adding faked To:'s to a delete list. So I switched to using '-sub' and '-account' addresses (e.g. aol-sub@xxxxxxxxx for Archive On Line and plutousers-sub@xxxxxxxxx for the Pluto mailing list) and put 'sub@aconet.' and 'account@aconet.' in the Alias file. If any of these ever get 'contaminated', they'll go into a separate Delete list. There's about sixty entries in my Alias list right now - mainly because of some odd addresses I can't get rid of yet - but it doesn't grow. Regards, Frank [1] Actually, these usually contain subscriber codes or numbers. I have one account where the top Received: header has a 'for' field with my username with the hosting company in it!