Hi, On Tue, Oct 31, 2017 at 6:49 AM, Rupert Gallagher <r...@protonmail.com> wrote: > This is my reading of it. > > - You may have received an e-mail addressed to someone-else. > I do not know your setup, but this is what it looks like from my seat. > (Sent "To" @puffin.net, but "Received: from" futurequest.net.) > We have a custom rule for this junk. In general, if you domain is > example.com and your server receives e-mail to whatever.com, > then you can reject it by local policy. > > header __LOCAL_DOMAIN To:raw =~ /\@yourdomain\.com/ > meta T_FD ( !__LOCAL_DOMAIN ) > describe T_FD To: foreign domain > score T_FD 5.0
This will also hit undisc-recips mail, bcc, and some mailing lists. We started seeing these yesterday afternoon. They continued through 2:30am this morning, then abruptly stopped. Thankfully every single one was blocked with spamhaus or sorbs or another RBL. "Chip" wrote: > I need to do a _LOT_ more reading, but for now, I've added > seat-of-my-pants rules for exact word matches on: > DDE > instrText > AUTO > gfxdata Where are you seeing this? In the body? The DDE I assume is the result of something run on the attachment? Have all the attachments contained "Invoice"? I'm also still seeing those phishes with "invoice" or "payment" in the URL that started like a month ago. Sometimes more than a thousand a day, none of which are ever rejected outright by an RBL.
