On Thu, 2009-08-20 at 18:51 +0200, Marc Muñoz Salvador wrote: > Following Martin Hepworth's instructions, I've pasted source of two > e-mails: > > The two I looked at in any detail made it obvious the From: address was forged because it didn't agree with the earliest Received: header: not even the TLDs were the same. I can't tell if yours are the same because you've removed those headers.
A rule or plugin that compared that pair of addresses might help (it might be generally useful as well as helping to recognise this type of spam) but I'm probably not good enough with regexes (or plugins) to write it. Martin
