A while back I created a plugin for checking Levenshtein distance on From and To domains, this might answer the problem?
An example configuration might look like this - This would look just for From domains with a distance equal to 1 from alexander.com ---8<--- ifplugin Mail::SpamAssassin::Plugin::Levenshtein header LEVENSHTEIN_ALEXANDER_VCLOSE eval:check_levenshtein_from(' alexander.com', 1) describe LEVENSHTEIN_ALEXANDER_VCLOSE From domain has distance of 1 from alexander.com score LEVENSHTEIN_ALEXANDER_VCLOSE 0.1 endif ---8<--- A bit more generic use, protecting To domains - ---8<--- ifplugin Mail::SpamAssassin::Plugin::WLBLEval && Mail::SpamAssassin::Plugin::Levenshtein enlist_addrlist (LEVENSHTEINPROTECT) *@alexander.com header __LEVENSHTEIN_PROTECT eval:check_to_in_list('LEVENSHTEINPROTECT') header __LEVENSHTEIN_FROM eval:check_levenshtein() meta LEVENSHTEIN_PROTECT __LEVENSHTEIN_PROTECT && __LEVENSHTEIN_FROM describe LEVENSHTEIN_PROTECT From address has a close distance to To address score LEVENSHTEIN_PROTECT 0.1 endif ---8<--- Looking at something like paypal - ---8<--- ifplugin Mail::SpamAssassin::Plugin::Levenshtein header LEVENSHTEIN_PAYPAL_VCLOSE eval:check_levenshtein_from('paypal', 1) describe LEVENSHTEIN_PAYPAL_VCLOSE From domain has distance of 1 from paypal score LEVENSHTEIN_PAYPAL_VCLOSE 0.1 endif ---8<--- There are a few more examples and details here https://github.com/fmbla/spamassassin-levenshtein/ Note that this is a third party plugin. Paul