We are regularly getting phishes from dhl, fedex, usps, amazon, netflix,
spotify that fakes the from (eg. amazon <p...@biggung1892301.com> wants
to send me a amadon-legit.pdf). Usually these are previously unknown to
pyzor, dcc, rbls, and domain reputation doesn't really exist[0].
I'm wondering if anyone has made a rule that looks to see if the From
contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs), then
score them up, if it wants to also drop a psd, or a tar.xz, or a png, or
a pdf or whatever, then light them on fire.
thanks!
--
micah
0. this rule does fire, and is helpful, but not always:
FROM_FMBLA_NEWDOM From domain was registered in last 7 days
