Anti-phishing idea

More or less the only ‘spam’ that reaches my inbox, is the occasional phishing mail, made to appear to be sent from a Dutch bank, trying to find out my online banking credentials. I want to get rid of those.

Now, the solution that I came up with, is somewhat crude, but I wonder if it will result in any false positives. I don’t think I have ever received a legitimate mail from a bank I do business, but I have been told by friends, and by ABN AMRO bank itself, that they do sometimes send out mail to (potential) customers. The question is: do theses mails originate from the Netherlands?

What I did was the following. My MTA is Exim, and it is already configured to identify the originating country for a given email, using a GeoIP lookup. Every mail coming in through my MTA has headers like these:

X-GeoIP-Code: US
X-GeoIP-Country: United States

So, if I want to block mails from a certain sender (and I want to be looking at the From: header rather than the envelope sender here), unless it came from inside the Netherlands, I can just implement a simple SpamAssassin check:

# Phishing from Dutch banks
header    __GEO_FROM_NL          X-GeoIP-Code =~ /^NL$/
header    __FROM_DUTCH_BANK      From =~ /(ING Bank|Rabobank|ABN AMRO)/i
meta      DUTCH_BANK_FOREIGN_IP  (__FROM_DUTCH_BANK && !__GEO_FROM_NL)
describe  DUTCH_BANK_FOREIGN_IP  Dutch bank mailed from a foreign IP
score     DUTCH_BANK_FOREIGN_IP  2.5

Anything with a score of 3.1 or higher is considered SPAM, so adding 2.5 points can still get the message through, if nothing else is wrong with it. However, this is hardly ever the case. If necessary, I could raise the score a little, but in the mean time, it’s nice to know that a legitimate mail, even if it came from abroad, could still have a chance to come through.

Is this a good idea, or would this result in false positives for sure?