On Tue, 21 Jan 2014 09:50:13 +0100 Michael Monnerie wrote: > Am 20.01.2014 09:54, schrieb Michael Monnerie: > > That should not matter. I want to say "if there is a bill claiming > > to be from vodafone, then there MUST NOT be any link to anything > > else than https?://vodafone.de". Any idea how I could check for > > this? > > > Is this possible? > > >>> So I want to catch a real-looking vodafone bill that has any URI > >>> to another domain. Also, as Vodafone uses SPF, I'd like to check > >>> if I hit VODAFONEgood && !SPF signature in the mail. > >> this is complicated since you belive phishes only have this domain > >> as sender, url and envelope can match, and this would be great if > >> thay do, but its hard to figure out for spamassassin with domains > >> is forged or not based on this > > I mean: if there's a mail whose context says it's a bill from > > Vodafone, then it should be from Vodafone and have a correct SPF > > signature. > > And can we check this?
Dave Funk gave you a better suggestion: whitelist authenticated vodaphone emails and create some aggressive rules to catch the fakes.
