Is there a way to do some more granular blocking based on the server HELO being used?
We're seeing spam come from for example:
Received: from uucv.pisem.net (188.8.131.52 [184.108.40.206]) by... etc
So the IP is in India and doesn't match the claimed relay of pisem.net.
They're also spoofing a personal domain name of someone known to communicate with us e.g. name[@]surname.com, so the SPF obviously fails, but the messages still get through (for various reasons)
I'd like to be able to block on something like:
Envelope From: name[@]surname.com
HELO = *.pisem.net (and for that matter anything *.ru)
Is there some way of doing this?