Self-Spam confusion - ORF Forums

@Marcin: "In the ORF logs that the sender is not from my domain"
That means the SMTP sender address was not spoofed (or at least the server did not spoof your domain name).
"Outlook shows that I got the spam email from myself "
This means the sender spoofed your domain in the MIME sender address (see the difference at http://vamsoft.com/faq.asp#whynotsender)

To block these, you should add a Keyword Blacklist expression with "Email header (raw MIME)" scope, see http://www.vamsoft.com/howto-blacklist-self-spam.asp#mime-sender-spoofing for detailed instructions.

@Marcin: You can learn more about self-spam and the tools ORF offers against it at http://vamsoft.com/r?selfspam - you will also find detailed instructions in the above article.

I guess you have already read that article a year ago when you blacklisted your domain, but this time focus on the "MIME Sender Spoofing" section at the end of the article, because that section applies to your current situation.

Let me know if you have any questions.

@Marcin: Yes, but fortunately this has to be done only once, and you can add all domains in a single expression like

.*^From:[^\r\n]*\b[^\r\n]*@(yourdomain1|yourdomain2|yourdomain3)\.com\b[^\r\n]*\s$

@Marcin: It is almost correct, but expressions parts with an 'or' relation must be enclosed between parentheses, like (option1|option2|option3). Due to this, your expression would look like:

.*^From:[^\r\n]*\b[^\r\n]*@(DOMAIN1|DOMAIN2|DOMAIN3)\.(com|hu|pl|es)\b[^\r\n]*\s$

...and that should cover domain1.com, domain2.hu, domain2.es, domain3.com, etc.

You can find an excellent introduction to regular expressions here: http://www.regular-expressions.info/