[vps-mail] Filtering catch-all's misses

["Jim Smith" <maillists@xxxxxxxxxxxxxxxx>]

I set my email to specify valid email addresses and everything else goes to
the catch-all which is trash (aliased to dev/null). I still get occasional
emails to non-existent email addresses such as from the headers below for
aow@xxxxxxxxxxxxxxxx (which has never been a valid address). 

I was told that some crafty spammers can forge the headers to hide which
email address it is going to. So I set a Procmail rule to get rid of all
such spams. It came after my white & black list and gave 2 points to
blarneystone and subtracted 3 points for any of my defined addresses. So
anything with 2 points to blarneystone but nothing else went directly to
spam as shown here:

 :0:
 * 2^0 ^TOblarneystone\.com
 * -3^0 ^TOjimsmith@xxxxxxxxxxxxxxxx
 * -3^0 ^TOjsmith@xxxxxxxxxxxxxxxx
          ...snipped out many more...
 * -3^0 ^TOsupport@xxxxxxxxxxxxxxxx
 * -3^0 ^TOmaillists@xxxxxxxxxxxxxxxx
 $HOME/spam

Now that I'm using Bayes, I'd like to somehow turn this into a SA rule so it
tags each of these as spam (right now it sends them directly to spam folder
without running through Bayes).

So, three questions:
1. Is there a test that can be implemented in SA to find emails with forged
To/CC/BCC fields?
or...
2. Can a Procmail action mark up a header like SA does so I can then send it
thru SA with a SA rule to recognize the mark and tag it with a high score?
or...
3. Is there a way to create a rule in SA (with 30 lines of legit email
addresses) to push up the score for the non-recognized ones?

Below is an example of a set of headers in question.

Thanks for any help.

Jim Smith
========================
From   maidawatzkax@xxxxxxxxxx Tue Feb 24 14:29:30 2004 
Return-Path:  <maidawatzkax@xxxxxxxxxx> 
Received:  from DSL217-132-165-189.bb.netvision.net.il
(DSL217-132-165-189.bb.netvision.net.il [217.132.165.189]) by
blarneys.securesites.net (8.12.6p3/8.12.6) with SMTP id i1OESAkB053267; Tue,
24 Feb 2004 14:29:14 GMT (envelope-from maidawatzkax@xxxxxxxxxx) 
To:  aow@xxxxxxxxxxxxxxxx 
Subject:  Dating Online Today "Date Number"6595524 
From:  maidawatzkax@xxxxxxxxxx 
Reply-to:  maidawatzkax@xxxxxxxxxx 
X-Mailer:  PHP/4.1.2 
Date:  Mon, 26 Jan 2004 00:24:48 -0500 (EST) 
Message-ID:  <4507150319003.54DVNULNAT@xxxxxxx> 
Content-Type:  text/plain 
X-ClamAV:  clean 
X-Spam-Score:  6.5 
X-Spam-Flag:  YES 
X-Spam-Checker-Version:  SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on
blarneys.securesites.net 
X-Spam-Report:  * 0.2 NO_REAL_NAME From: does not include a real name * 2.1
BAYES_90 BODY: Bayesian spam probability is 90 to 99% * [score: 0.9790] *
2.6 BLANK_LINES_80_90 BODY: Message body has 80-90% blank lines * 1.5
DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date * 0.1
CLICK_BELOW Asks you to click below 
X-Spam-Status:  Yes, hits=6.5 bayes=0.9790 required=4.8 autolearn=no 
X-Spam-Level:  ****** 
Status:  RO 
===========================


======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).