Thanks. I went with: IF /^Message-id:/ /@qq\.com/ Reject ENDIF
It's not all that pretty, but it works fine. I have been watching the logs and those messages are now being rejected. Thanks for all the help. -- Doug > On 7 September 2017, at 15:50, pgndev <pgnet....@gmail.com> wrote: > > I missed the "message id" ... > > You should be able to match/block any valid header name. > > Add it to, or replace, what's in the match -- up to you. Personally, I've > never received a valid email from 'anything' @qq.com. YMMV. > > If you're shutting down a flood, more extreme, blunt instrument measures @ > the firewall (e.g. GeoIP blocking) can be put in place.