On Fri, 30 Aug 2013 10:45:23 +0100 Martin Gregorie wrote: > On Thu, 2013-08-29 at 05:42 -0700, Neil Schwartzman wrote: > > On Aug 29, 2013, at 4:40 AM, RW <rwmailli...@googlemail.com> wrote: > > > > > On Thu, 29 Aug 2013 00:55:29 +0200 > > > Michael Schaap wrote: > > >> The "From:" header is at linkedin dot com, but the envelope > > >> sender is a random address > > > > > > I'm guessing that legitimate linkedin mail has something other > > > than a random address in its envelope sender. > > > > > > no need to guess > > > The headers you've sent don't contain an envelope sender (the "From" > header) or a "From:" header.
Actually there is a Return-Path. And the OP said that there is a From. > What is the domain name in the "Message-ID:" header of a genuine > LinkedIn message? Another possibility would be to reject anything that > claims to be "From:" LinkedIn but doesn't have the appropriate domain > name in its message id. I was thinking of just the header and the envelope, but it wouldn't hurt to add the message-id as well: header __LINKEDIN_HEADFROM From:addr =~ /\@.*linkedin/i header __LINKEDIN_ENVFROM EnvelopeFrom =~ /linkedin/i header __LINKEDIN_MSGID Message-Id =~ /linkedin/i meta LINKEDIN_FAKED __LINKEDIN_HEADFROM && ! ( __LINKEDIN_ENVFROM || __LINKEDIN_MSGID )
