Hi, >> It's easy to write a CUSTOM set of rules just for actual/likely >> targeted senders (CEO/etc). >> For each person/target, create a rule that tests an explicit >> list of that person's normal Realname(s) (including reasonable >> variations), against the Realname part of the From header, and >> if there's a match, test whether the From Address is in a list >> of allowed addresses. Score only if it's a probable phish >> Realname from an unknown/unallowed address. > > I've also been battling this for a long time. Those unknown/unallowed > addresses are basically the list of permissible domains, I would > think, correct?
Oops, I meant the inverse of a list of permissible domains, correct? As in !MY_AUTH_ADDR. I'm really more interested in ideas on how to handle From:addr spoofing and whether they should just be outright blocked if not on my own SPF list. Thanks, Alex