Jeff Koch wrote:

> One of the problems is that the actual spam email is sometimes not
> attached. But interestly enough we are usually sent the email header of
> the original email. From that we (the humans) can easily spot that the IP
> address of the mailserver claiming to be ours is, in fact, not. So, if
> that line in the returned email header can be parsed perhaps a program
> can validate the IP address.

It sounds like you could get that with a 'body' rule.

Check the precise format, but if you have something like this in the
original header, with your host's name...

( [])

....and that's not the right IP, that would be a good test. I realize
you're thinking of generalizing to any case where an apparent hostname
stands next to an apparent IP in text, but if you have a specific
problem it's OK to be specific.

Joseph Brennan
Columbia University Information Technology