On 08-12-17 19:09, AJ Weber wrote: > I'm trying to decide the best way to detect something like this. > > https://pastebin.com/hCX9MWNg > > Looking at the raw headers and body it's pretty easy to tell this is a > spoof, but when it shows-up in an inbox, it looks pretty good. > > Something specific to Amazon (where this is purported to come from) > would be to check if their domain is in the From and Reply-To and at > least score that relatively high if it's not correct - but compared to > what? Maybe if From text contains amazon/i and from-address does not > end with amazon.com (for me in the US at least)? > > That feels forced. Does anyone have any suggestions to help me out on > this fine Friday? >
Actual Amazon email is always sent with passing SPF, DKIM and DMARC. SO you can easily whitelist anything from amazon based on that, and then subtract some points for everything that has '\bAmazon\b' is the from:name. Header. Kind regards, Tom
signature.asc
Description: OpenPGP digital signature