On 16 Apr 2021, at 16:03, John Hardin <jhar...@impsec.org> wrote: > header __FROM_NAME_AMAZONCOM From:name =~ /\bamazon\.com\b/i > meta POSSIBLE_AMAZON_PHISH_01 (__FROM_NAME_AMAZONCOM && NAME_EMAIL_DIFF) > meta POSSIBLE_AMAZON_PHISH_02 (__FROM_NAME_AMAZONCOM && > !__HDR_RCVD_AMAZON)
It seems something like this should be built in for sites like amazon.com PayPal.com google.com apple.com citi.com, etc etc. Not gmail,. Of course, it would fail spectacularly if used for that, but for stores and banks and such, it seems like this is bloody obvious. Probably a score 0.01 for POSSIBLE_AMAZON_PHISH_01, but I don't see anything wrong with a killshot 5.0 for POSSIBLE_AMAZON_PHISH_02. (Not that I am testing it with a 5.0 score, but I sure expect to see a score around there). -- Hamburgers. The cornerstone of any nutritious breakfast.