Help needed with Transport Rule

Exchange 2007: Like most people, we are getting inundated with junk emails. I noticed that a good proportion of them are coming from email addresses from the top level domain ".date"

We never get genuine emails from .date domains, so I decided to do a transport rule to block them. I've tried two different ways so far, but neither of them have had any effect...

Firstly I tried a rule with 'When the From address contains specific words' box checked. And I put .date in the data.

Then I tried a rule with the 'When the From address contains text patterns' and I put .date in the data.

With both of then I specified an action to silently drop the message. These rules are not working. I suspect it is the .(dot) which is causing the problem. I cannot use "date" without the dot because some genuine emails will have "date" in another part of the email address.

Can I get this working?
Merlin-EngWorks ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zaheer IqbalTechnical Assurance & ImplementationCommented:
Do you content filter Agent installed ?
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Can you check the email header and check it is actually coming from that domain.
Zaheer IqbalTechnical Assurance & ImplementationCommented:
Another option is to set-up a Catch All Mailbox.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
lol #1
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
are you sending and receiving mail straight through a firewall here?

do you not have a middle man delivering and receiving email?

block the mails here, you obviously have some big problems here if you are even receiving these.
buy mimecast it will save your life.

you have to stop this stuff getting to your exchange server, not blocking it from within the exchange server, the war has already been lost at that point.
All the CVE's documented these days it is just too risky, cut the mail out using a known trusted sender like Mimecast. Mimecast in my opinion have better spam protection than Microsoft.

Merlin-EngWorks ManagerAuthor Commented:
Sorry for the delay in replying, i've been out all day

@Zaheer Iqbal: yes the content filter is installed, (I think it is installed as standard). No the emails are not coming from the domains specified in the from address. I have been analysing the emails. They are using a different block of IP addresses, and different .date domains every day. I don't see what purpose a catch-all mailbox would serve here.

@Mark Bill: Yes we are sending and receiving straight through the firewall. I know we would be better protected with something like mimcast, but we aren't currently doing it.

None of the replies so for have commented on my original problem. Shouldn't it be possible to create a transport rule to block an entire top level domain?
FOXActive Directory/Exchange EngineerCommented:
Set your rule using "when the From address matches text patterns"  and input your info

ref link:

go down to comment by coa57y.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Merlin-EngWorks ManagerAuthor Commented:
@Fox: That was what i was looking for. I needed the wildcard character in front of my .date text pattern. Thank you so much,
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Ye sending email straight over the internet is madness, middle man must be used in my opinion.
best of luck.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.