Send admin notifications on x number of messages from an email address

%3CLINGO-SUB%20id%3D%22lingo-sub-999836%22%20slang%3D%22en-US%22%3ESend%20admin%20notifications%20on%20x%20number%20of%20messages%20from%20an%20email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-999836%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe're%20having%20a%20problem%20with%20a%20repeat%20spam%2Fphishing%20offender%20that%20recycles%20email%20addresses%20from%20a%20particular%20domain.%20Because%20the%20email%20address%20is%20new%20it%20hasn't%20had%20a%20chance%20to%20be%20picked%20up%20by%20blacklists%2C%20so%20it%20doesn't%20get%20picked%20up%20as%20spam.%20We%20can't%20block%20on%20content%2C%20subject%20or%20sender%20because%20it%20all%20changes%20so%20for%20these%20campaigns%20we're%20relying%20on%20user%20reports%20to%20give%20us%20the%20heads%20up.%20We%20also%20can't%20block%20the%20domain%20because%20we%20receive%20legitimate%20email%20from%20the%20domain%20also.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20to%20change%20this%20so%20we%20can%20hit%20them%20before%20users%20notice%20and%20possibly%20whilst%20the%20spam%20campaign%20is%20in%20flight%20but%20I'm%20unsure%20as%20to%20how%20to%20go%20about%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20rule%20or%20other%20setting%20I%20can%20configure%20which%20sends%20notifications%20to%20specific%20e-mail%20addresses%20if%2C%20say%20100%20emails%20were%20received%20from%20any%20email%20address%20(or%20from%20a%20specific%20domain%3F)%20within%20an%20hour%2C%20or%205%20hours%3F%20I%20don't%20see%20how%20I%20can%20configure%20such%20a%20rule%20in%20mailflow%20rules%20so%20I'm%20guessing%20this%20might%20be%20somewhere%20else.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere's%20an%20element%20of%20us%20likely%20being%20falsely%20alerted%20to%20marketing%20campaigns%2C%20but%20hopefully%20it's%20configurable%20enough%20that%20we%20can%20limit%20it%20down%20to%20only%20applying%20this%20against%20a%20specific%20sender%20domain%2C%20or%20adding%20a%20new%20custom%20mailflow%20rule%20which%20will%20lower%20the%20likelihood%20of%20false%20positives.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%3C%2FP%3E%3CP%3E-%20Lsward%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-999836%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1001450%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20admin%20notifications%20on%20x%20number%20of%20messages%20from%20an%20email%20address%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1001450%22%20slang%3D%22en-US%22%3E%3CP%3EThat's%20not%20something%20you%20can%20achieve%20with%20rules.%20You%20will%20have%20to%20run%20a%20PowerShell%20script%20that%20periodically%20polls%20the%20message%20tracking%20logs%2Fmessage%20trace%20and%20gives%20you%20the%20aggregates%20for%20a%20given%20period%20of%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi,

 

We're having a problem with a repeat spam/phishing offender that recycles email addresses from a particular domain. Because the email address is new it hasn't had a chance to be picked up by blacklists, so it doesn't get picked up as spam. We can't block on content, subject or sender because it all changes so for these campaigns we're relying on user reports to give us the heads up. We also can't block the domain because we receive legitimate email from the domain also. 

 

I'd like to change this so we can hit them before users notice and possibly whilst the spam campaign is in flight but I'm unsure as to how to go about it. 

 

Is there a rule or other setting I can configure which sends notifications to specific e-mail addresses if, say 100 emails were received from any email address (or from a specific domain?) within an hour, or 5 hours? I don't see how I can configure such a rule in mailflow rules so I'm guessing this might be somewhere else.

 

There's an element of us likely being falsely alerted to marketing campaigns, but hopefully it's configurable enough that we can limit it down to only applying this against a specific sender domain, or adding a new custom mailflow rule which will lower the likelihood of false positives.

 

Many thanks,

- Lsward

1 Reply
Highlighted

That's not something you can achieve with rules. You will have to run a PowerShell script that periodically polls the message tracking logs/message trace and gives you the aggregates for a given period of time.