I am testing to create a rule to detect when an email is sent to a large number of recipients.
As there is no such capability in the rules, I have made the following, a rule that detects SMTP protocol AND a regex to detect mails \b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b
The problem is that I get a lot of false positives, even though I have the options "Count all unique matches" and "Match On:
Envelope" only. It doesn't take into account the latter and searches also in the body, so if the message has been replied several times, many email addresses appear in the body, so if I want to put X number of recipients to send a warning, it will send to many others if it matches in the body.
What can I change?
Thank you very much in advance