Anyone have a rule to detect the following nonsense headers seen in this
message I got?
Return-Path: <cow...@uakron.edu>
Received: from cp24.deluxehosting.com (cp24.deluxehosting.com [207.55.244.13])
by mail (envelope-sender <cow...@uakron.edu>) (MIMEDefang) with ESMTP
id 23C2ch8H717309
for <xy...@redfish-solutions.com>; Mon, 11 Apr 2022 20:38:50 -0600
To: "xy...@redfish-solutions.com" <xy...@redfish-solutions.com>
From: "Nabil, Home Depot" <cow...@uakron.edu>
Message-ID: <35ee7c.8b8cf6.a...@uakron.edu>
Date: Mon, 11 Apr 2022 22:38:48 +0000 (UTC)
Minicomputers-Exhume: sides
Subject: Nabil, 1 searches this week
Malthus-Films: 88976dea
List-Unsubscribe:
<https://uakron.edu/?e=d567f7ae55e4&t=lun&midToken=39e56a34&ek=email_notification_single_search_appearance_01&li=7&m=unsub&ts=unsub&loid=cd5be889cc8fde15c6d1ebf62c92cc37375723f3fea3ce35af8da>
Parasitic-Homogeneity: db5da28ba3e69a
MIME-Version: 1.0
Capitalizations-Grievously: oilers
Content-type: multipart/mixed; boundary="----------=_1649731129-716331-86"
Obviously, the following bogus header names are present:
Minicomputers-Exhume
Malthus-Films
Parasitic-Homogeneity
Capitalizations-Grievously
The list of legitimate headers is quite small, per RFC-2822 Section 3.6 and
3.6.7 (odd that 3.6.8 doesn't call out the X-* requirement).
I'd like to fingerprint messages based on non-standard header names.
Has anyone undertaken this already? I tried playing with:
header __L_NON_STD_HEADERS ALL !~
/^(Return-Path|Received|Resent-Date|Resent-From|Resent-Sender|Resent-To|Resent-Cc|Resent-Bcc|Resent-Message-ID|Date|From|Sender|Reply-To|To|Cc|Bcc|Message-ID|In-Reply-To|References|Subject|Comments|Keywords|Content-Type|Content-Transfer-Encoding|MIME-Version|DKIM-Signature|X-([A-Z][a-z]+(-[A-Z][a-z]*)*))\:/m
But that will only match if *none* of the headers are standard ones, so that
won't work... I really need to examine the headers one-by-one.
Thanks,
-Philip
