Your logic is fine.  You just need to make the rule a new mail filtering rule, when folder is opened.  Each incoming message that isn't diverted by Spamhalter or Content Control get run through these rules.  All unread messages also get run through these filters each time the new mail folder is opened which is why I commented about not knowing the potential impact of the processing overhead by a list scan rule using a large list.

I am getting a deluge of emails with "from" addresses consisting of slightly altered names of people with whom I have exchanged emails in the past, and spoofed headers.  They have links, which vary with each and every message.  Spamhalter has been completely unable to recognise these, (hardly surprising, given that there are no commonalities).  Any form of blacklisting based on address, (eg. through filtering) is equally impractical.  Given that Pegasus has automatically created a whitelist based on people to whom I have sent messages in the past, is there any way to use this in some sort of rule-based filter, ("If the sender is not in the whitelist, hive the message off into a "junk"  folder")

There is a "Scan List" rule type that can check against a distribution list.  Unfortunately, the frequently used list is not in a distribution list file.  It would be easy enough to copy its contents into one but it wouldn't be self maintaining.  I don't know what the performance impact would be to check every message against such a list.

Neat!  I have tried this by creating a distribution list copied from my whitelist, then created a Scan List rule to move any messages with  from (or to - and this may or may not cause problems)  NOT in the list, into a folder marked Phishing.  I will report back as to what actually happens. (And, yes, I appreciate that the distribution list will need to be manually maintained)

I was sitting here working on this problem when your post popped arrived.  I thought for certain there would be a way to utilize the global whitelist through a configuration option somewhere but darned if I can find anything.  I must be missing something otherwise it doesn't appear to have a purpose.

It's purpose is to "bypass" Spam/Junk rules for addresses that you have "Sent to"

IIRC the filter order is 

Global Whitelist

SpamHalter

Content Control

Your Filter Rules (?)

I am not sure you are on the same wavelengths.  When the previous poster said he wasn't sure "what the purpose was", he wasn't questioning the purpose of the whitelist.  What he was asking was what the purpose of the "List" option in the Filter Rules was.  (It refers only to the distribution lists - why?)

Just for what it is worth,  I have not as yet received any of the phishing emails which were plaguing me, so I can see whether my "fix" actually works.  But it has been only 12 hours since I instituted it...

Shades,

Are you saying that the Global Whitelist is checked by default and to disable it you would have to clear it and disable automatic whitelisting?

<!--[if gte mso 9]><xml> </p><p> <w:WordDocument> </p><p> <w:View>Normal</w:View> </p><p> <w:Zoom>0</w:Zoom> </p><p> <w:PunctuationKerning/> </p><p> <w:ValidateAgainstSchemas/> </p><p> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> </p><p> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> </p><p> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> </p><p> <w:Compatibility> </p><p> <w:BreakWrappedTables/> </p><p> <w:SnapToGridInCell/> </p><p> <w:WrapTextWithPunct/> </p><p> <w:UseAsianBreakRules/> </p><p> <w:DontGrowAutofit/> </p><p> </w:Compatibility> </p><p> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </p><p> </w:WordDocument> </p><p></xml><![endif]-->

I believe so, or at least edit it to you addresses you want to pass thru the other filters, then turn off Whitelisting

<!--[if gte mso 9]><xml> </p><p> <w:LatentStyles DefLockedState="false" LatentStyleCount="156"> </p><p> </w:LatentStyles> </p><p></xml><![endif]--><!--[if gte mso 10]> </p><p><style> </p><p> /* Style Definitions */ </p><p> table.MsoNormalTable </p><p> {mso-style-name:"Table Normal"; </p><p> mso-tstyle-rowband-size:0; </p><p> mso-tstyle-colband-size:0; </p><p> mso-style-noshow:yes; </p><p> mso-style-parent:""; </p><p> mso-padding-alt:0cm 5.4pt 0cm 5.4pt; </p><p> mso-para-margin:0cm; </p><p> mso-para-margin-bottom:.0001pt; </p><p> mso-pagination:widow-orphan; </p><p> font-size:10.0pt; </p><p> font-family:"Times New Roman"; </p><p> mso-ansi-language:#0400; </p><p> mso-fareast-language:#0400; </p><p> mso-bidi-language:#0400;} </p><p></style> </p><p><![endif]-->

Help me here.  (I am not a programmer or computer geek, so need to beg your indulgence).  The Whitelist is automatically populated only when you send a message TO somebody.  So the spoofed addresses in the emails will not be reflected in the Whitelist, and will be passed on through to the Spamhalter filter.  This is unable to recognise them because every field, and the entire address track in the header is spoofed.  So Spamhalter will pass it on.  It is basically impossible to create a spam filter because the addresses are different every time, so the messages will drop through this also.  Finally, they are subjected to the rules-based scan, and it was here that I was trying to intercept them.

What I did was create a large (500 entries!) distribution list, (using the addresses from my whitelist, (which represents only addresses to which I have sent mail)).  I then went to the Mail Filtering Rules and created a General Rule Set of type List Scan, ticked the box for NOT, and told it to hive off messages not in the list to a folder, "Phishing". The list scan option examines the From and Reply To fields in incoming messages (?) and triggers the action chosen in the rule definition.

It doesn't work.  The messages pass through this Rule, and continue to come up in my new mail.  Can you point out the flaw in my logic?