On Wed, 12 Jun 2013 15:26:29 -0500 (CDT)
David B Funk wrote:
> However this will not hit all the "human engineered" varients which
> try to fool people into thinking that they're PayPal (EG: PayPaI)
> or which have "PayPal" in the comment field part of the address/URL
> but have a completely different actual target host.
And you need to be a little careful about hitting addresses created to
use with paypal that contain "paypal". OTOH I think it would be
unlikely for paypal to be in name part of the header without it being
either from paypal or spam.
Perhaps something like:
header __PAYPAL_IN_FROMNAME From:name =~ /paypal/i
header __ADDRESS_IN_FROMNAME From:name =~ /\@/
header __FUZZY_PAYPAL_FROM From:addr =~ /(?!paypal)p[ao]yp[ao][il1]/i
meta FAKE_PAYPAL !USER_IN_DEF_DKIM_WL && ( __FUZZY_PAYPAL_FROM ||
__PAYPAL_IN_FROMNAME && !__ADDRESS_IN_FROMNAME )
