On Thu, 18 Apr 2019 04:07:36 +0000 David Jones wrote: > I would like to use the AskDNS plugin to query a private DBL that I > can populate/manage. The idea is to subtract a few points for > inbound O365 domains that have been seen before in an effort to help > block compromised O365 accounts from domains that have never been > seen before. > > Ideally a new tag would be created when the last external relay is an > outbound.protection.microsoft.com host and the X-Originating-Org > header value (which should match the EnvelopeFrom domain) is used to > make a new tag like _O365ORG_
IIWY I'd just lookup sender or author and do the rest in a meta-rule.
