That was for a specific spoofing campaign so remove it if you want. That was only an example to show what can be done to pair up with whitelist_auth/whitelist_dkim entries. I would not put that particular one in the core SA ruleset if there was enough interest to add this rule.
I also have a rule just like this with full names of spoofing targets like CEOs and finance people to block fake requests to transfer money or click a link. ________________________________ From: sha...@shanew.net <sha...@shanew.net> Sent: Thursday, April 26, 2018 10:01 AM To: users@spamassassin.apache.org Subject: Re: Anti Phish Rules On Thu, 26 Apr 2018, David Jones wrote: > header __BAD_FROM_NAME From:name =~ > /(^chase$|chase\.com|Internal Revenue Service|banking|Bank of > America|American Express|Wells Fargo|NavyFederal|Geico|E-fax|Share.oint|UPS > Delivery|FedEx|PayPal|Apple Support|USAA|.ropbox|Dro.box)/i > meta BAD_FROM_NAME __BAD_FROM_NAME && !ALL_TRUSTED > describe BAD_FROM_NAME Displayed From contains bad information to > trick the recipients > score BAD_FROM_NAME 4.0 People named Chase may not care for that first item in the grouping -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT CompSci =----------------------------------+------------------------------- All syllogisms contain three lines | sha...@shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew<http://www.ischool.utexas.edu/~shanew>