[exim] Need help writing an anti-phishing trick

I have an idea of something that should work that I'd like to try to
stop a lot of phishing email.

Here's what I have in mind. Most phishing email pretends to be from well
know institutions, banks, paypal, etc. But even though the from address
is the institution, none of the received lines contain a host that
matches the institution name.

For example - all paypal real email with come from paypal servers.

So - my thinking is - create a list of institutions that are frequently
impersonated. If the sender address is one of those domains then the
received lines are searched for that domain. If there is no match then
we deny the message at the ACL level.

For example, paypal.com with be in the list. If the sender is paypal,
but none of the received lines contain paypal, we nuke the message.

So - who wants to throw an ACL together to do this?