We are regularly getting phishes from dhl, fedex, usps, amazon, netflix, spotify that fakes the from (eg. amazon <p...@biggung1892301.com> wants to send me a amadon-legit.pdf). Usually these are previously unknown to pyzor, dcc, rbls, and domain reputation doesn't really exist[0].
I'm wondering if anyone has made a rule that looks to see if the From contains amazon, but it is not amazon.com/.ca/.jp (all their TLDs), then score them up, if it wants to also drop a psd, or a tar.xz, or a png, or a pdf or whatever, then light them on fire. thanks! -- micah 0. this rule does fire, and is helpful, but not always: FROM_FMBLA_NEWDOM From domain was registered in last 7 days