The from map type matches the envelope from and not the From: message Header (when both are present).
Fairly typical is that mailing list messages use uniquely generated SMTP envelope addresses to effectively handle bounces and delivery errors.
Then the "envelope from" probably looks something like from=<[email protected]> rather than the [email protected] address found in the message header.
Just like snail mail letters, SMTP email has two different sets of address information:
the envelope headers (like the addresses printed on the outside of an envelope, which is read and used by the Post Office to deliver the message to your mailbox) which are used by the SMTP servers to route and deliver the email. These correspond to the RCPT TO: and MAIL FROM: command words used in the SMTP transaction.
the "normal" headers, which are part of the mail message and which are only read and interpreted by the user in his mail client/webmail. These resemble the address attached to a salutation at the start of the physical letter found inside the envelope and similarly have no function in getting the message delivered correctly.
These come as part of the DATA in the SMTP transaction.
the addresses in these two different headers can differ.
Historically there is no one standard on how MTA's store envelope data in messages, if at all. Therefor mail clients only display the normal headers.
Usually you need to take a look at "all headers", the "raw message" , "message source/properties" or similar to see if the MTA records the MAIL FROM: and RCPT TO: in some way.
You may see a Return-Path: <sender-address> Received: ... for <rcpt-address> or X-Original-To: <rcpt-address> or something else entirely. Alternatively the MTA will often store envelope headers used in the delivery log files.
You probably need to test but the "header" map and filtering on the From: header might work better for you:
blacklisted_addresses {
description = "Blacklisted addresses";
type = "header";
header = "From";
filter = "email";
...
