On Wed, 2017-11-15 at 08:41 +0000, Sebastian Arcus wrote: > The emails often contain links to various popular cloud platforms - > such as SharePoint, DropBox etc. Most of the emails come from clean > domains, or from large webmail providers. > I'd say there is not a lot you can do if the legit solicitors and accountants you and your clients deal with normally use these public dropboxes to deliver documents. OTOH, if they don't do that, then if the mail claims to be from a solicitor or accountant you can use the presence those links as a spam recogniser, or go even further and treat any link that *doesn't* point to the sender's own domain as a spam indication.
Whether doing this is safe or not depends pretty much on what's in your normal mail stream and on what is seen as normal practice for the solicitors and accountants your users deal with. I use a mail archive as another way of finding spam: anybody in the archive who I've sent mail to gets tagged by a negative-scoring rule, but this may not work for you and your users. However, system performance isn't an issue. My archive is in a Postgres database and the view it uses to recognise addresses that have received mail from my domain is fast because the my DB schema was designed to support this type of query. Martin >
