Spam from a particular spammer is getting through the Sophos UTM. The sender's email address is dynamic (0100015356a4719a-9e5954b8-d58b-4a0e-9381-740dc528d936-000000@amazonses.com) so using the blacklist is pointless. However, the sender always uses the same email address in the reply-to and from headers, in all emails. I tried adding that email address to the Expressions Filter but it appears that the headers are ignored and only the subject line and body of emails are tested.
I sent some spoofed emails to myself and the only ones that were filtered were the ones that contained the spammer's email address in the subject line or body even though that same email address was included in the reply-to and from headers of all of the test emails.
What am I doing wrong? Surely there must be some way to filter this spammer's emails without blocking all emails from amazonses.com.
UPDATE: Looks like I found my answer: http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/9893775-in-anti-spam-expression-check-everything-after-da
This thread was automatically locked due to age.