On 08/10/2016 10:50 AM, Merijn van den Kroonenberg wrote:
Hmm. Tagging the message is an option. Though I think I'd rather just
reject...that seems to make more sense. I'll need to do some research on
how to reject messages with a from and to domain of my domain that match
that are being sent from an external network. In theory, these messages
should always be coming from itself (single mail server setup here).
I wonder if there is a rule which can detect if sender (from) domain
matches (a) recipient domain.
There is no such rule in stock SA but it's not too hard to create a
header rule chain containing your rcpt domains in From: and meta that
with a similar list in To:
If the domain list changes frequently, this can probably be automated.
I could use this kind of rule in combination with other rules to make them
a bit more 'strict' as it would imply the sender is a customer of ours.
This particular email has a macro-enabled Word document attached, but I
don't want to assume this will be the case every time.
Any tips/tricks/suggestions would be greatly appreciated!
Actually i was investigating this same (type) of mail here too. Some with
docm attachments came through. We do scoring on attachment file extension
(custom plugin which also looks inside zips) but not outright blocking
(yet). The ones which came through didn't hit much other rules. The only
thing which catches the eye is the spoofed from address in the customers
domain.
