On 4 Oct 2006 as I do recall, Steven Pampling wrote: > On 04 Oct, Harriet Bazley <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > A new type of spam is making its way past Antispam - and past > > Spamstamp's subsequent filtering - by posing as mailing list traffic: > > [Snip] > > > I assume this is a mailing list that doesn't even *exist*; it's > > certainly not one I'm subscribed to! > > Doesn't really matter. If you use mainly whitelists and all the mailing > lists tend to have a subject line with a particular marker (like > [antispam-f] in this case) so doing an accept on that normally works. I've always used Accept List-Id: = ** Accept Mailing-List: = ** in order to save having twenty or so separate rules (and having to remember to add a new one if I subscribe to a new group), but clearly they've cottoned onto this technique. :-( > > All other traffic set to DEFER and use the marking facility - not had > *anything* get past that in I don't know how long. I've got it set to header anything over 5000 bytes, on the grounds that for e-mail under this size, it's actually slower to download the header twice than to download the whole thing by default and then discard it - and more work for me to mark them than it's worth (if Spamstamp gets them then I don't have to read their revolting little subject lines). So I suppose the fact that I'm getting a dozen or so small spams slipping through the net every day this week isn't actually costing me very much in download time. :-) One thing I have just noticed is that all these fake mailing list spams have the string "Apple Message framework" in their Mime-Version header, and a header "Received-SPF: pass (<domain>: local policy)" which normal messages don't seem to have; I don't get a lot of e-mail from Mac users to check against. How common are these headers? I can't find any in any of my mailing lists with a Mime-Version of anything other than "1.0".... -- Harriet Bazley == Loyaulte me lie == No man has a right to live - but every man has a duty to save him if he can