Some spammers falsify email addresses so that the message appears to originate from a sender within the recipient's own domain. For example, the recipient works for company "XYZ", and his own corporate email address is john@xyz.com. A spammer might then pose as frank@xyz.com in an attempt to evade detection.
Guard against this tactic by adding a rule to the "Mail from external hosts" section of the policy that filters incoming mail from senders pretending to be a member of the same domain. The rule tests external messages for the presence of the domain in the Envelope from and Sender parts. Any messages containing the specified domain are quarantined.
To Quarantine Messages from Fake Senders using the PureMessage Manager:
Policy Script
To Quarantine Messages from Fake Senders by manually editing the policy script:
# attr NAME=Mail from external hosts else { pmx_add_header "X-PMX-Version" "%%PMX_VERSION%%"; pmx_mark "Size" "%%MESSAGE_SIZE%%"; # attr NAME=Clean mail containing viruses if pmx_virus { pmx_file "Virus"; pmx_virus_clean "cantclean.tmpl"; pmx_replace_header "Subject" "[PMX:VIRUS] %%SUBJECT%%"; pmx_replace_header "X-PerlMx-Virus-Detected" "%%VIRUS_IDS%%"; } # attr NAME=Check for fake senders if anyof(address :all :matches :comparator "i;ascii-casemap" ["from"] ["**xyz.com"], envelope :comparator "i;ascii-casemap" :all :matches ["from"] ["**xyz.com"]) { pmx_quarantine "Fake Sender"; stop; }
See the Policy Script Tutorial for more information about modifying the policy script from the command line.