I'm trying to decide the best way to detect something like this.
https://pastebin.com/hCX9MWNg
Looking at the raw headers and body it's pretty easy to tell this is a
spoof, but when it shows-up in an inbox, it looks pretty good.
Something specific to Amazon (where this is purported to come from)
would be to check if their domain is in the From and Reply-To and at
least score that relatively high if it's not correct - but compared to
what? Maybe if From text contains amazon/i and from-address does not
end with amazon.com (for me in the US at least)?
That feels forced. Does anyone have any suggestions to help me out on
this fine Friday?
Thanks,
AJ
