Content Filtering (Regex)

Author Message
Jason.Bere
  • Total Posts : 25
  • Reward points : 0
  • Joined: 5/28/2012
Content Filtering (Regex) - Thursday, August 09, 2018 1:10 PM
Despite this forum appearing to be abandoned/useless, I'm going to try asking another question here before escalating.
 
I'm trying to use Advanced Content Filtering to delete mails coming from outside our company that appear to have our email address. Sounds simple right?
 
Yes, I'm also doing this through the SPF module, but I want different behaviors for "typical" SPF failures due to badly configured mail policies and things that are absolutely guaranteed malicious junk - spoofing our own senders.
 
I've got a Regex that successfully identifies the From: header and our email domain.
(?i)^from:.*@ourdomain\.tld>$
 
The problem is that despite this being checked "Check Inbound Emails" only in MailEssentials settings, it's constantly firing on all the email we send. Repeated for emphasis: I've set the rule to operate Inbound only, and it's triggering on sent emails.
 
Is there a resolution for this?
 
Alternately is there a way I can write a regex to check multiple lines? If I can check the IP address as well as the From, or the Received: from for the machine name, I could easily distinguish between legitimate senders and the spoofed crap.