On Monday 06 March 2017 11:58:25 David B Funk wrote: > On Mon, 6 Mar 2017, Alan Hodgson wrote: > >> It seems it should be easy to setup “If mail claims to be From: > >> PayPal.com > >> and is not from PayPal, score +100” but it is not. > > > > This is what DMARC is for. > > > > Run opendmarc as a milter and reject failures. Or score later on DMARC > > failure, even if just selectively for highly phished domains. > > > > PayPal publishes p=reject, on paypal.com at least, if not their other > > domains. > But that won't help you when the scammers set the user visible from as > "acco...@paypai.com" or some other variant (with the actual address part as > <acco...@example.com> or something else. > > user-agents (such as OutHouse) by default only show the "comment" part of > the address and hide the actual <> address part, making it easy for > scammers to fool the non-tech savvy users.
Well, sure. And they can use any variant of paypal.whatever that they own, too, to show in better email clients. But you do what you can. Personally I've been flagging anything with paypal or pay pal anywhere in the From: that doesn't have a whitelisted PayPal domain's DKIM signature on it, but I don't know how well that scales.