Anyone have a rule to detect the following nonsense headers seen in this message I got?
Return-Path: <cow...@uakron.edu> Received: from cp24.deluxehosting.com (cp24.deluxehosting.com [207.55.244.13]) by mail (envelope-sender <cow...@uakron.edu>) (MIMEDefang) with ESMTP id 23C2ch8H717309 for <xy...@redfish-solutions.com>; Mon, 11 Apr 2022 20:38:50 -0600 To: "xy...@redfish-solutions.com" <xy...@redfish-solutions.com> From: "Nabil, Home Depot" <cow...@uakron.edu> Message-ID: <35ee7c.8b8cf6.a...@uakron.edu> Date: Mon, 11 Apr 2022 22:38:48 +0000 (UTC) Minicomputers-Exhume: sides Subject: Nabil, 1 searches this week Malthus-Films: 88976dea List-Unsubscribe: <https://uakron.edu/?e=d567f7ae55e4&t=lun&midToken=39e56a34&ek=email_notification_single_search_appearance_01&li=7&m=unsub&ts=unsub&loid=cd5be889cc8fde15c6d1ebf62c92cc37375723f3fea3ce35af8da> Parasitic-Homogeneity: db5da28ba3e69a MIME-Version: 1.0 Capitalizations-Grievously: oilers Content-type: multipart/mixed; boundary="----------=_1649731129-716331-86" Obviously, the following bogus header names are present: Minicomputers-Exhume Malthus-Films Parasitic-Homogeneity Capitalizations-Grievously The list of legitimate headers is quite small, per RFC-2822 Section 3.6 and 3.6.7 (odd that 3.6.8 doesn't call out the X-* requirement). I'd like to fingerprint messages based on non-standard header names. Has anyone undertaken this already? I tried playing with: header __L_NON_STD_HEADERS ALL !~ /^(Return-Path|Received|Resent-Date|Resent-From|Resent-Sender|Resent-To|Resent-Cc|Resent-Bcc|Resent-Message-ID|Date|From|Sender|Reply-To|To|Cc|Bcc|Message-ID|In-Reply-To|References|Subject|Comments|Keywords|Content-Type|Content-Transfer-Encoding|MIME-Version|DKIM-Signature|X-([A-Z][a-z]+(-[A-Z][a-z]*)*))\:/m But that will only match if *none* of the headers are standard ones, so that won't work... I really need to examine the headers one-by-one. Thanks, -Philip