I'm trying to come up with a general purpose rule to deal with the 419'ers hiding behind Google mail. Below are the headers from a typical Google spam:
Return-path: <johnbasil005@torba.com>
Received: from ag-out-0708.google.com (72.14.246.240) by BKBUSA.COM (Mercury/32 v4.62) with ESMTP ID MG0000AD;
9 Jul 2008 11:03:03 -0400
Received: by ag-out-0708.google.com with SMTP id 22so18158421agd.8
for <gfy@bkbusa.com>; Wed, 09 Jul 2008 08:02:52 -0700 (PDT)
Received: by 10.90.94.2 with SMTP id r2mr8651250agb.46.1215615772424;
Wed, 09 Jul 2008 08:02:52 -0700 (PDT)
Received: by 10.90.25.20 with HTTP; Wed, 9 Jul 2008 08:02:52 -0700 (PDT)
Message-ID: <705bb4920807090802u3854eabfq7c4135588e2cf71f@mail.gmail.com>
Date: Wed, 9 Jul 2008 17:02:52 +0200
From: "john basil" <johnbasil005@torba.com>
Subject: I HAVE RESGISTERED YOUR CERTIFIED CONSIGNMENT WITH IMPEX
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_7012_2690575.1215615772418"
X-Blocked: BOFH
X-CC-Diagnostic: Body contains "Africa" (40)
X-PMFLAGS: 570950016 0 1 6C60F058.CNM
What I have in mind is a rule that checks for the presence of a Google mail server - ie:"Received: from ag-out-0708.google.com" and has a return address - ie: "Return-path: <johnbasil005@torba.com>" other than a @gmail.com address.
Has anyone written a rule similar to this? What works for you, other than blocking Google mail outright?