James Nelson wrote:
I wonder if it might not be more effective to check the received from header
for paypal.com instead of the message-id. My thought there is, although
this rule holds true for paypal, it does not for ebay. Where as matching
the domain in both the from and received from fields you should always have
the valid smtp address for the domain.
Basically, SA's version of emailler ID. Which can be incorporated into any
domain.
Would be nice if you could make variables to discover the from domain and
pass that to a check to received from line, would make one rule universal
for all domains. Then you could assign a couple of pts for domain spoofing.
james
And the message-id can be faked, correct? I guess the only sure way is
to perform a reverse lookup on the IP in the header and look at that
domain name. ??
Dan
