Hello tfrenz,

thanks for your answer.

This setup will remove or quarantine all mails from other providers and services, which sends mails in your (domain-)name from other hosts than your ESA. Is this correct? We have a lot of legitimate mails like this.

Also, this setup will catch your domain names, but not the names of executives in your company. In our case, forging our domain is not the problem (this we are handling by SPF), but the sender name (not mail) is forged.

You need control of your own domain - if you don't have that, then if any [genitalia] can send as your organisation, they will. You already have SPF set up - a good tough HARDFAIL terminating clause, I trust?

These steps aren't easy to do; they involve a lot of initial failures as your recipients learn what they can and cannot do, and the concept may be impossible for some organisations.

That then makes the following possible:

Spoof-From:
if ((sendergroup != 'RELAYLIST') AND (sendergroup != 'EXTERNALLIST')) {
    if header('From') {
        if header('From') == '@({domain1.tld}|{domain2.tld})' {
            strip-header('Subject');
            insert-header('Subject', '[NOT {company} SENDER] $Subject');
            insert-header('X-TAG-Query-Sender', 'Impersonates {company} equipment');
            skip-filters();
        }
    }
    else {
        strip-header('Subject');
        insert-header('Subject', '[NO FROM] $Subject');
        insert-header('X-TAG-Query-Sender', 'No From header');
        skip-filters();
    }
}
.

Here {domain1.tld} and {domain.tld} are your domains you are protecting, {company} is the name of your organisation and TAG is whatever you put in your own headers to make them unique. RELAYLIST is your sender group of your own servers and EXTERNALLIST is a new sender group for the very few outside machines that are allowed to use your domain. Yes, this will break some things but see my opening sentence.

This filter tags the mail and changes the subject line, but doesn't take any other action. The message is still in your pipeline and a subsequent content rule can take action, possibly in conjunction with other conditions.

I haven't used FED, but I believe it can be used to protect specific recipients in your domain so if you have a shortlist of recipients authorised to do silly things with your organisation's bank account, you can set it up just for them and not for your other recipients with an urgent need to receive mail from any [improvised sanitation] start-up who think they have a deity-granted right to impersonate them. We can only hope that your two groups of recipients don't overlap. Personally I prefer my solution, but it's only fair to point out that it does struggle with calendar responses that run around with the wrong From lines. However, I think that's a general problem - anyone know was it ever cleared up for bounce verification?

We have implemented our custom filters to assist end users with this challenge.

In short we do the following :

If 

not Whitelisted application or host

not OwnGroupDomains as sender

not any of 3500 public mailers

if SPF, SBRS, DKIM fail or reputation low

duplicate mail to quarantine for savekeeping for 14 days

keep original from in x-header

keep original reply-to in x-header

strip headers from and reply to

insert notification to end user that header was stripped

This saved our life so many times....in the last weeks/months. Initially users did complain about all those emails from bounces but have accepted it now ( > 40000 users)

We are currently working on regex based VIP detection filter in addition to the above to check for any VIP combination or fake domains.