On 12/6/2017 9:33 AM, Kevin A. McGrail wrote:
On 12/6/2017 9:28 AM, David Jones wrote:
I see plenty of legit email with an email address in the From:name so
that would need to be a very low score or combined with other rules
in a meta.
I was pointing out the "cc:" in the From:name to try to hide the
sender's email address at first glance.
Agreed. Let me whip something up.
#cc in From - Thanks to Dave Jones for idea
header KAM_CCFROM1 From =~ /\b(to|cc|bcc|from):/i
describe KAM_CCFROM1 Addition of cc: and similar as a
phishing tactic
score KAM_CCFROM1 5.0
Looks good to me.
