Joseph Brennan wrote:
> Jeff Koch wrote:
> > One of the problems is that the actual spam email is sometimes not
> > attached. But interestly enough we are usually sent the email header of
> > the original email. From that we (the humans) can easily spot that the IP
> > address of the mailserver claiming to be ours is, in fact, not. So, if
> > that line in the returned email header can be parsed perhaps a program
> > can validate the IP address.

> Check the precise format, but if you have something like this in the
> original header, with your host's name...
> ( [])
> ...and that's not the right IP, that would be a good test.
> It sounds like you could get that with a 'body' rule.

A 'body' rule does not see a header section of an attached mail,
a 'full' rule is needed, as pointed out elsewhere
(but the 'full' rule sees a main header section too).