Help with SMTP Rule

[Ricardo Londoño <ricardo () datawan net>]

I need some help tryting to write a custom rule.

Basically I need to write a rule that captures all SMTP traffic where the MAIL FROM is NOT a specific domain.  I have 
come up with the following but I don't think it is work right.  I'm capturing other misc traffic.  I also think my 
problem lies in that I don't want to single out a specific user.  So I need the rule to be flexible in that any user 
from any domain with the exception of the allowed domain will be logged.

alert tcp $HOME_NET any -> any 25 (msg:"POLICY SMTP illegal Mail From"; content:!"mail from|3a| @specificdomain.com"; 
depth: 22; classtype:misc-activity; nocase sid:1000005; rev:1;)


any help would be greatly appreciated.

thx


Ricardo