On Mon, 24 Aug 2020 19:22:27 -0700 (PDT) John Hardin wrote:
> That could be captured by the above whitelist_auth, plus a "from > name" rule: > > header FM_NAME_AMAZON From:name =~ /^amazon(?:.com\b|$)/i > score FM_NAME_AMAZON 10 > > That's a poison pill by itself, but the whitelist_auth entry would > override it for genuine Amazon emails. I do it something like this: meta WHITELIST_SPOOFED __SHOULD_BE_WHITELISTED && !ANY_WHITELIST This allowed the default whitelists to cancel the rule without giving them a huge negative score.