On 03 Dec, Dave Barnett <as10@xxxxxxxxxxxxxxxxx> wrote: > Makes it difficult to keep rules current. Test out a use of Received: = *( unknown * I have it running at the moment. The security firms label this one "SpamThru" Works off a botnet, one control PC, a number of template PC's and up to 500 sending PC's. It kills all other trojans and virus infections by using a modified version of the Kaspersky AV to make sure it has sole access to the CPU time on the PC. Use the rule as a Header version and check the collected header items to see what I mean about the unknown status. -- Steve Pampling