So, I received an email from "service.i...@paypal.com", Subject "Your PayPaI account has been limited". This is clearly a phishing attempt and not a legitimate email from paypal.
I analyzed the headers, the message comes from a server here in the United States, the spam score is 5, and Spamassassian says "No Spam". Yea!! Only not yea, because it's clearly a phishing attempt. Normally I just add the email address to a blacklist_from.cf file and stop it that way, but adding "service.i...@paypal.com" to the blackfrom list would block any legitimate email from PayPal. So how does a person write a rule for something like this? I've never written rules before and not really sure how to. Thanks Daryl