Good day, I know I will incur some wrath for this but I have the Mayor breathing down my neck. We stop nearly all spam now, but some does get through. Mostly it has been mail from gmail and outlook servers that pass DKIM and SPF.
This morning a large number of messages appearing to come from the Mayor were delivered. The email is technically legitimate and was scored appropriately. Unfortunately, the From address was in the following format 'the Mayor's display name <random-numb...@gmail.com>'. So, everyone who saw the message opened it because it looked like it came from the Mayor. then they called the Mayor's office. - The message was benign. - The users know to hover over display names to check the address, but this was the Mayor. They did not. - All mail delivered locally comes through our server. No one is allowed to use their City email address on none City devices. Had the address been correct, it would have been stopped. Even if only for this one account, I need a rule to check that the Mayor's display name matches the Mayor's email account and I am at a loss how to manage that with SA rule structure. Any thoughts on that or has anyone done something similar? DAve -- Dave Goodrich Information Technology City of Greenfield, Indiana 317-477-4309