What do you think about a antiabuse.popular.domains.cf that contains a lot of paragraphs like this ?
# DHL header __AF_DHL_FROM From =~ /([^a-zA-Z0-9]|^)dhl([^a-zA-Z0-9]|\b)/i header __AF_DHL_DOMAIN From =~ /\@dhl.com(>|\b)/i meta AF_VALID_DHL (SPF_PASS || MXPF_PASS || DKIM_VALID_AU) && __AF_DHL_DOMAIN describe AF_VALID_DHL Valid dhl Sender score AF_VALID_DHL -1.00 meta AF_ABUSED_DHL __AF_DHL_FROM && !AF_VALID_DHL describe AF_ABUSED_DHL Probably Abused dhl Sender Name score AF_ABUSED_DHL 1.00 __AF_DHL_FROM Search in the from field that there is something that can tell to users that message come from dhl For example it find positive something like : DHL EXPRESS <some...@somewhere.com> __AF_DHL_DOMAIN Search if from domain is dhl.com AF_VALID_DHL True if this email is verified by spf or dkim or mxpf AND domain is dhl.com AF_ABUSED_DHL True if some dhl references in from field (__AF_DHL_FROM) and not verified dhl.com Nicola Piazzi CED - Sistemi COMET s.p.a. Via Michelino, 105 - 40127 Bologna - Italia Tel. +39 051.6079.293 Cell. +39 328.21.73.470 Web: www.gruppocomet.it<http://www.gruppocomet.it/> [Descrizione: gc]