I manage a Postini account of one organization - about  15 email addresses.

Here is my situation. Prior to today I had established the email domain "paypal.com" on the safe sender's list.  This was established a few year's ago due to the fact that legitmate emails from Paypal were being filtered out.  In the previous several months we have been getting a large amount of Paypal Spam/Phishing emails.  I created a contact filter to filter out - Subject Line contains text "You sent a payment" OR Subject Line contains text "You just sent a payment".  I didn't realize until today that the email domain "paypal.com" on the safe sender's list was trumping the filter.  So I removed email domain "paypal.com" from the safe sender's list.

Here is my issue.  I have two emails (both attached) that I processed through http://www.google.com/postini/headeranalyzer/.  One email (Payflow Gateway Maintenance) is legit and the other (You sent a payment) is obvious spam.  According to the postini/headeranalyzer/ the legit email delivered to me several months ago was delivered due to the sender "pay...@paypal.com being on the approved sender list.  Later in the analysis of the legitimate email headers it indicates that the spam score is below the threshold and is considered spam.  The spam/phish email header was analyzed and was considered spam, but since the "paypal.com" was on the safe sender's list it was delivered.

Here is my question. How do I create filter(s) whereby legitimate paypal.com emails are delivered and spam/phish email are filtered out?