Thanks. I'll see if we can test this.   I know help isnt always help....lol

# Apply on incoming eMail from the Internet connector called “SMTP”
# AND if the sender specified does NOT equal the from address
# Then add a custom header indicating the mismatch for later processing
if( recv-listener == “SMTP” )
{
if( from != sender )
{
insert-header( “X-FromNotEqualSender”, “True” );
}
}

Additional, what are the headers the ESA recognizes for:
From Header
Sender Envelope
Reply-To

It is understood that legitimate eMail can have all three of these be different values, we’re, just looking to identify them for later potential processing.

all the RFC places I looked say the headers are just:
From
Sender
Reply-To
but other Cisco documentation says “mail-from” as well as From:, so I’m not sure which one to use to get the ESA’s attention properly when it looking at the rule we’re tyring to create

I created a new message filter
FromNotEqualSender:
if( recv-listener == “SMTP” )
{
if( (header(“From”) != (header(“Sender”)) OR ((mail-from != (header(“Sender”)) )
{
insert-header( “X-FromNotEqualSender”, “TRUE” );
}
}
.
and got the error:
An error occurred during processing: filter:4:23:expected ‘STRING’
so it looks like it might require a string and not another function when doing it’s comparison

I'm not aware of this being possible. If you happen to find something that works for you, please do let us know though.

Thanks!

-Dennis M.