This is a very rough python milter implementation which is supposed to parse From: header values and mark suspicious ones.
From: "Totally Official <totally.official@example.com>" <nope-its-fake@fake.example.net>
JPT580/pymilter-suspicious-from
A rough pymilter example that can detect suspicious from headers with multiple addresses/domains in emails. It is not perfect, but it certainly is able to help adding a warning flag to emails.
Python