Are you using or able to use 3.4.3-rc6 because there is a new feature for this that you can implement called subjprefix that can mark external emails with External in the subject. Depends on your usage.
On 11/21/2019 1:24 PM, Dave Goodrich wrote: > Good day, > > I know I will incur some wrath for this but I have the Mayor breathing down > my neck. We stop nearly all spam now, but some does get through. Mostly it > has been mail from gmail and outlook servers that pass DKIM and SPF. > > This morning a large number of messages appearing to come from the Mayor were > delivered. The email is technically legitimate and was scored appropriately. > Unfortunately, the From address was in the following format 'the Mayor's > display name <random-numb...@gmail.com>'. So, everyone who saw the message > opened it because it looked like it came from the Mayor. then they called the > Mayor's office. > > - The message was benign. > - The users know to hover over display names to check the address, but this > was the Mayor. They did not. > - All mail delivered locally comes through our server. No one is allowed to > use their City email address on none City devices. Had the address been > correct, it would have been stopped. > > Even if only for this one account, I need a rule to check that the Mayor's > display name matches the Mayor's email account and I am at a loss how to > manage that with SA rule structure. > > Any thoughts on that or has anyone done something similar? > > DAve > > -- > Dave Goodrich > Information Technology > City of Greenfield, Indiana > 317-477-4309 -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171