Hi,
Is there an existing rule that detects when the To address differs
from the address to which the email is to be delivered?
We've received a number of messages directed at executives based on
the recipient address and Received address, both of which are within
the same domain but to different people.
>From lynne20...@aol.com Mon Mar 27 10:33:00 2017
Return-Path: <lynne20...@aol.com>
Received: from localhost (localhost [127.0.0.1])
by mail01.example.com (Postfix) with ESMTP id 30F1A6801B259
for <m...@example.com>; Mon, 27 Mar 2017 10:33:00 -0400 (EDT)
From: Dorothy <lynne20...@aol.com>
To: doro...@example.com
I'd like to be able to use the fact that the To address is not the
same as the address shown in the Received header in a meta of some
kind.
How frequent would you think that would appear in ham alone? It's the
basis for a number of phishing attacks here, so I'd like to see about
using it in some way.
Thanks,
Alex
