I did post in the Thunderbird area but saw that this group was here
(and the message messed up after posting and I can't get the
Thunderbird editor to allow me to make changes so....) :-)

I thought that one addition that would be good would be to have the
program check for <a href="X">Y</a> in the message's body.
Checking only for the website and not anything that follows that.
(Because sometimes they do say just "http://www.y.com" in the body of
a message. So:

<a href="http://www.x.com/A/B?C">http://www.x.com</a>

would be ok but

<a href="http://www.x.com/R/S/T/U/V">http://www.y.com</a>

would not be ok.

I'm sure there are times when a company does "http://mysite.com" or
other different methods of saying their site name, but all this is -
is a check and even a legitimate company who does the above should
make someone suspicious of the intent of the company.

And last, but not least, this is faster than having to poll an offsite
location for information. So you would get immediate feedback about
the message being suspicious and then, after that the regular poll for
info could be done.

Just a thought.