To catch mail to self could be an overkill as someone could copy mail to self (multiple addresses in "To:") when people tend not to manage "Sent" box these days. I was thinking a recipe to parse out the 2 parts in "From:" line: "joe@mysite.org" <extusr@water.ne.jp> which obviously is not legitimate. That's why I mentioned using 'formail'.. Zhiliang On Tue, 17 Nov 2020, Vlado Keselj wrote:

Date: Tue, 17 Nov 2020 08:36:08 -0400 (AST) From: Vlado Keselj <vlado@dnlp.ca> To: Zhiliang Hu <hu@animalgenome.org> Cc: procmail@lists.rwth-aachen.de Subject: Re: filter based on "From: " content

Are you saying that something like

:0 * ^From:.*joe@mysite.org * ^To:.*joe@mysite.org spam

would not work?

On Mon, 16 Nov 2020, Zhiliang Hu wrote:

...

Recently I get lots spam mails typically with faked "From:" and "To:" like

From: "joe@mysite.org" <extusr@water.ne.jp> To: joe@mysite.org

where "joe@mysite.org" is our local user. My problem with procmailrc approach is that 'formail' extraction will largely leave out the "joe@mysite.org" part in the "From:" line. Before I may attempt an external script to do the catch, I wonder is there already, or possibly some simple filter to catch these within procmailrc?

Zhiliang ____________________________________________________________ procmail mailing list -- procmail@lists.rwth-aachen.de Procmail homepage: http://www.procmail.org/ To unsubscribe send an email to procmail-leave@lists.rwth-aachen.de https://lists.rwth-aachen.de/postorius/lists/procmail.lists.rwth-aachen.de