Is there a rule to catch cases where the domain of the Reply-To header
is a subtle variant on that in the To header. Take this (real) example
from a phishing email sent yesterday:
From: "Karen Howard" <ka...@interfacefm.com>
Reply-To: "Karen Howard" <ka...@intrefacefm.com>
I realise that other elements of the address can be different without
being a reliable spam indicator but I think that interfacefm.com ->
intrefacefm.com are so similar and yet different that they should be
worth a few points. But I can't think how to write such a rule myself.
