Rootlayer VPS in Headers

name: "Rootlayer VPS in Headers"
description: |
  The message was sent using a Rootlayer VPS, a provider known to be used for phishing.
type: "rule"
severity: "low"
authors:
  - twitter: "ajpc500"
source: |
  type.inbound 
  and any(headers.domains, .domain == "hosted-by.rootlayer.net" )
tags:
  - "Suspicious headers"