1 Reply Latest reply on May 29, 2015 10:24 AM by eplossl

    Compliance dictionary misfiring

    bblanchard

      I'm working with a client running MEG 7.6 and they're running into a weird issue.

      They have a dictionary setup where they look for @mydomain.com and the "condition" is set to "Sender". The intent is to find spoofed email with their domain as the sender in the header-from. They're using another rule in parallel  which looks for @mydomain.com in the Envelope from.

       

      What we've seen is that if we attach an email (as a .msg) which contains a From: bob@mydomain.com, the dictionary will trigger on it even though we told the compliance rule to only look in the "Sender" and not in the attachment. It's as if the compliance rule scans the attachment, sees that it's another email and scan the email header and fires on it.

       

      Is this expected behavior ?