> On May 11, 2022, at 9:24 AM, John Hardin <jhar...@impsec.org> wrote:
>
> On Tue, 10 May 2022, Philip Prindeville wrote:
>
>> Anyone have a rule to detect the following nonsense headers seen in this
>> message I got?
>>
>> Return-Path: <cow...@uakron.edu>
>> Received: from cp24.deluxehosting.com (cp24.deluxehosting.com
>> [207.55.244.13])
>> by mail (envelope-sender <cow...@uakron.edu>) (MIMEDefang) with ESMTP
>> id 23C2ch8H717309
>> for <xy...@redfish-solutions.com>; Mon, 11 Apr 2022 20:38:50 -0600
>> To: "xy...@redfish-solutions.com" <xy...@redfish-solutions.com>
>> From: "Nabil, Home Depot" <cow...@uakron.edu>
>> Message-ID: <35ee7c.8b8cf6.a...@uakron.edu>
>> Date: Mon, 11 Apr 2022 22:38:48 +0000 (UTC)
>> Minicomputers-Exhume: sides
>> Subject: Nabil, 1 searches this week
>> Malthus-Films: 88976dea
>> List-Unsubscribe:
>> <https://uakron.edu/?e=d567f7ae55e4&t=lun&midToken=39e56a34&ek=email_notification_single_search_appearance_01&li=7&m=unsub&ts=unsub&loid=cd5be889cc8fde15c6d1ebf62c92cc37375723f3fea3ce35af8da>
>> Parasitic-Homogeneity: db5da28ba3e69a
>> MIME-Version: 1.0
>> Capitalizations-Grievously: oilers
>> Content-type: multipart/mixed; boundary="----------=_1649731129-716331-86"
>>
>> Obviously, the following bogus header names are present:
>>
>> Minicomputers-Exhume
>> Malthus-Films
>> Parasitic-Homogeneity
>> Capitalizations-Grievously
>
> Take a look at __RAND_HEADER and RAND_HEADER_MANY
>
>
For my test messages, __RAND_HEADER_MANY isn't firing.
Also, Return-Path: is listed in RFC-2822, and many delivering (terminal) MTA's
add it, including Sendmail.
-Philip
