@tychi I did a variation of this using a python-based milter. The format is alias.folder-domain@virtualhost. The milter looks for 'domain' somewhere in the headers, scored according to just what kind of header it finds it in. By default the milter does not flag, but i can set the score threshold and action (flag, reject, drop) for each domain tag the system sees using a customized postfixadmin page (sql for the backend). Most of the time I dont need to set a threshold, but every once and a while someone gets pwned and then I can turn the feature on with a couple clicks (or just ban the tag entirely!)