Phishing Emails with Legitimate From and Reply To Address: Good Idea to Train as Spam?

Phishing emails have started using legitimate ‘From:’ and ‘Reply To:’ addresses in an attempt to bypass SPAM filtering and enhance the illusion of legitimacy. Meanwhile, the body of the email contains one or more payload links to a SPAM/malware/phishing webpage.

In this case, a Best Buy phishing email made it to my inbox using “” as the From address, “” as the Reply To address and emailmongo[dot]com/… as the “OPEN NOW” link.

I’ve already forwarded this to I also read a previous response on this type of issue “Email supposedly from my bank-train?” which suggests training the spam email as spam and a legitimate one as good. In this case, it sounds like SpamSieve will put and on the block list but also learn that not all email with those addresses are spam.

Followup questions: Is SpamSieve aware of links in the body of emails and do those get added to it’s filtering rules? For example, will the domain emailmongo[dot]com get flagged as spam? Also, will the root domain get blocked or only the full URL containing the long string of random alphanumeric characters get blocked?

Last question: Would it be better to just create an Outlook rule that marks any email containing emailmongo[dot]com in the body as spam?

1 Like

Yes, they will end up as present but disabled on both the whitelist and blocklist.


The domain will become a factor used in classifying future messages, but it will not automatically be added to the blocklist.

I generally recommend handling all the spam-related stuff within SpamSieve. If you are sure that you always want to block messages with that text in the body, you could add your own rule to SpamSieve’s blocklist.

1 Like

Okay, thanks for the clarifications. Since the entire emailmongo domain got an extremely poor trust rating on, I decided it would be cleaner to create a rule to block any email that contains emailmongo[.]com (without the brackets of course) in the body.