> Hmm. Tagging the message is an option. Though I think I'd rather just > reject...that seems to make more sense. I'll need to do some research on > how to reject messages with a from and to domain of my domain that match > that are being sent from an external network. In theory, these messages > should always be coming from itself (single mail server setup here). >
I wonder if there is a rule which can detect if sender (from) domain matches (a) recipient domain. I could use this kind of rule in combination with other rules to make them a bit more 'strict' as it would imply the sender is a customer of ours. > > This particular email has a macro-enabled Word document attached, but I > don't want to assume this will be the case every time. > > Any tips/tricks/suggestions would be greatly appreciated! > Actually i was investigating this same (type) of mail here too. Some with docm attachments came through. We do scoring on attachment file extension (custom plugin which also looks inside zips) but not outright blocking (yet). The ones which came through didn't hit much other rules. The only thing which catches the eye is the spoofed from address in the customers domain.
