Thanks for the previous answer on :execute. In thinking about malicious input, I am worried about the possibility that mail will be sent with a clever from line. (Section 7 of http://www.ietf.org/rfc/rfc5229.txt is great, btw) To address this, I'm considering the following, and would appreciate feedback. I'm aware that this doesn't capture all emails, those with non-alphanum are legit, and badly handled. I think that this restricts the input of the grepfrom script to be a single string, matching "a-zA-Z09 at ." if not address :regex "from" "^[:alnum]*@[:alnum]*([:alnum].)*$" { fileinto :create "wierd"; stop ; } elsif address :regex "from" "*" { set "sender" ${1}; if execute "grepfrom" "${sender}" { keep ; stop; } else {fileinto :create "neversent"} As an aside, https://www.joachim-breitner.de/blog/441-Goodbye_procmail,_Hello_Sieve contains a nice pattern, creating an include file to test, and that addresses many, but not all of my use cases. Should I worry if the match there is 5000+ strings? Adam