On Wed, 2013-06-12 at 21:30 +0200, Juerg Reimann wrote: > Is there a filter to block PayPal phishing mails, i.e. everything that > claims to come from PayPal but is not? > I was going to suggest that you could treat anything whose Message-ID doesn't end with 'paypal.com' as spam, but its a bit more complex than that:
- if Paypal has an office in the same country as an account holder, the message seems to originate there. A genuine message I examined says its from e.paypal.co.uk and has URIs containing emea.e.paypal.com - the message-id contains @e-dialog.com but its immediately followed by an X-mail-from header containing @emea.e.paypal.com - OTOH all the images and links in the message body are encrypted links to URIs that are recognisably in the PayPal domain. It might be safe to treat it as ham if all the From and Reply-to headers have the same domain name which contains 'paypal', the message-ID ends in '@e-dialog.com' and the X-mail-to X-match headers end in 'paypal.com' and finally all the URIs in the body contain the same paypal-specific partial URI, but its your call. HTH Martin
