Block lists are increasingly failing to catch on-the-fly domains like "google.com-e.cc", meaning that users get sent emails that seemingly come from legitimate email addresses as the from and envelope addresses are valid (either local or external). The SPF and DKIM often pass too, but what I've noticed is that the reply-to field has the domain appended with something. There must be a way we can check if either of the three (from, return-path or reply-to) fields contains a valid domain hosted on an ISPconfig server, but is appended with something else. Unless you host very short domains this should not be a false alarm concern. The regex shouldn't be too hard, but as the domains are listed in mysql, how would one combine the two? something along the lines of: !^<known domain>$, BOUNCE. Example headers: From: Djerk Geurts <djerk[at]maizymoo.com> To: info[at]maizymoo.com Return-Path: <graham[at]tandgnewcombe.co.uk> (valid domain, but in this instance no SPF sigh) Reply-To: Djerk Geurts <djerk[at]maizymoo.com-e.cc>