I've recently been getting spam with multiple 'To' addresses that include both my regular, published address and another address assigned by my ISP than I have never publicised and that should never appear in the same To header as the ISP-assigned address. So, I wrote a rule that adds points if both addresses appear in a 'To' header.
However, this rule also fires whenever my published address is in the 'To' header and the unpublished address is used in 'Delivered-to' and 'X-original-to' headers generated internally by my ISP. So, I have two questions: 1) is there a document anywhere that lists the headers that are treated as if they are 'To' headers even though they have different names? 2) is there any way to restrict queries like mine to fire on 'To' headers alone, i.e. would writing 'To:address =~ /blah/' rather than 'To =~ /blah/' restrict the rule to just looking at 'To' headers? Martin
