Return-Path: 
 <users-return-69703-apmail-spamassassin-users-archive=spamassassin.apache.org@spamassassin.apache.org>
Delivered-To: apmail-spamassassin-users-archive@www.apache.org
Received: (qmail 35500 invoked from network); 7 May 2008 21:59:37 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 7 May 2008 21:59:37 -0000
Received: (qmail 81940 invoked by uid 500); 7 May 2008 21:59:28 -0000
Delivered-To: apmail-spamassassin-users-archive@spamassassin.apache.org
Received: (qmail 81919 invoked by uid 500); 7 May 2008 21:59:28 -0000
Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-help@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: <users.spamassassin.apache.org>
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 81908 invoked by uid 99); 7 May 2008 21:59:28 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 May 2008 14:59:28 -0700
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [63.228.221.75] (HELO net.afts.com) (63.228.221.75)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 May 2008 21:58:43 +0000
Received: from [192.168.1.9] ([192.168.1.9])
	by net.afts.com (8.13.5/8.13.0) with ESMTP id m47LwsDg024668
	for <users@spamassassin.apache.org>; Wed, 7 May 2008 14:58:55 -0700
From: ".rp" <printer@afts.com>
To: bogofilter@bogofilter.org
Date: Wed, 07 May 2008 14:58:34 -0700
MIME-Version: 1.0
Subject: possible idea for backscatter problem
Message-ID: <4821C39A.23228.B9A6DF12@printer.moveupdate.com>
Priority: normal
X-mailer: Pegasus Mail for Windows (4.41)
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
X-Virus-Checked: Checked by ClamAV on apache.org

One of the users (actually the boss) had the email address harvested and we got clobbered 
by backscatter. Looking at the emails of the various 'unable to deliver' type messages, I saw 
what these could be filtered on, but don't know how to write up and implement the rule 
outside of procmail. I don't want to use procmail for this since it I think it would be an 
expensive routine for procmail to run.

In the body of the 'unable to deliver' message, the original message is quoted. One of the 
lines quoted is the Message-ID: header from the original. The format of this line is always 
wrong as it does not contain the FQDN that our server appends to the end of the hash 
number , following the '@' symbol .

So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not 
header, and look for the @FQDN 
Is this rule already out in the wild?
-p