An e-mail is certainly a phishing attack when all three of the following conditions are met:
- The From address claims to be paypal.com
- The Received header, which indicates the address of the computer from which the e-mail was actually received, is not paypal.com
- A paypal.com URL is mentioned in the body of the e-mail
Instead of the offending message being delivered unmarked to users who may be tricked by the scams, the users receive an e-mail stating that the message is suspected spam, giving enumerated reasons. Users can of course still see the original e-mail that is attached to the explanation message.
I wonder why the “Anti-Phishing Working Group” does not provide useful information like this. I suspect the next useful feature would be automatic reporting to email@example.com or similar addresses that may be maintained by organizations who are victims of phishing scams.