We are using UTM 9.706-9. We get a lot of spam that has dynamically created envelope-from addresses, like email@example.com. The next email is coming from dyn2 and so on. Because the sender blacklist doesn't allow for wildcards in the domain, I can't get them blocked this way.
Because the domain (spamdomain.com) shows up in the body of the email most of the time, I added "spamdomain" as an expression (also as regex like ".*spamdomain.*"). If this keyword shows up as regular text, the filter triggers. However, if it is embedded in an href link, which it is almost every time, it's not. I just want to have confirmation, that this is the way the expression filter works and I'm not making a mistake.
If this is true, do you have any suggestion on how to catch these spam emails? The content is different every time so there is no point in using other keywords.
This thread was automatically locked due to age.