On Wed, 12 Jun 2013 15:26:29 -0500 (CDT) David B Funk wrote:
> However this will not hit all the "human engineered" varients which > try to fool people into thinking that they're PayPal (EG: PayPaI) > or which have "PayPal" in the comment field part of the address/URL > but have a completely different actual target host. And you need to be a little careful about hitting addresses created to use with paypal that contain "paypal". OTOH I think it would be unlikely for paypal to be in name part of the header without it being either from paypal or spam. Perhaps something like: header __PAYPAL_IN_FROMNAME From:name =~ /paypal/i header __ADDRESS_IN_FROMNAME From:name =~ /\@/ header __FUZZY_PAYPAL_FROM From:addr =~ /(?!paypal)p[ao]yp[ao][il1]/i meta FAKE_PAYPAL !USER_IN_DEF_DKIM_WL && ( __FUZZY_PAYPAL_FROM || __PAYPAL_IN_FROMNAME && !__ADDRESS_IN_FROMNAME )