We are using UTM 9.706-9. We get a lot of spam that has dynamically created envelope-from addresses, like email@example.com. The next email is coming from dyn2 and so on. Because the sender blacklist doesn't allow for wildcards in the domain, I can't get them blocked this way.
Because the domain (spamdomain.com) shows up in the body of the email most of the time, I added "spamdomain" as an expression (also as regex like ".*spamdomain.*"). If this keyword shows up as regular text, the filter triggers. However, if it is embedded in an href link, which it is almost every time, it's not. I just want to have confirmation, that this is the way the expression filter works and I'm not making a mistake.
If this is true, do you have any suggestion on how to catch these spam emails? The content is different every time so there is no point in using other keywords.
Hallo Michael and welcome to the UTM Community!
You're understanding correctly. I agree with Harsh that you need experienced eyes on the SMTP log and headers of spam emails to find a way to fight this spammer.
Cheers - Bob