> I'm trying to decide the best way to detect something like this. > > https://pastebin.com/hCX9MWNg > > Looking at the raw headers and body it's pretty easy to tell this is a > spoof, but when it shows-up in an inbox, it looks pretty good. > > Something specific to Amazon (where this is purported to come from) > would be to check if their domain is in the From and Reply-To and at > least score that relatively high if it's not correct - but compared to > what? Maybe if From text contains amazon/i and from-address does not > end with amazon.com (for me in the US at least)? > > That feels forced. Does anyone have any suggestions to help me out on > this fine Friday? > > Thanks, > AJ
You shouldn't have even received that. Consider setting up your email as per this guide: https://arstechnica.com/information-technology/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ After 3 months, and two major failures setting up email (not to mention shattered self-worth), this article series is what finally got me spinning. Also in /etc/postfix/main.cf add to smtpd_recipient_restrictions = ...reject_rbl_client zen.spamhaus.org,
