Cisco Cisco Email Security Appliance C190 User Guide
9-50
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Use the
forged-email-detection
rule to detect such messages. While configuring this rule, you must
specify a content dictionary and the threshold value (1 through 100) for considering a message as
potentially forged.
potentially forged.
The
forged-email-detection
rule compares the From: header with the users in the content dictionary.
During this process, depending on the similarity, the appliance assigns similarity score to each of the
users in the dictionary. The following are some examples:
users in the dictionary. The following are some examples:
•
If the From: header is <j0hn.sim0ns@example.com> and the content dictionary contains a user
‘John Simons,’ the appliance assigns a similarity score of 82 to the user.
‘John Simons,’ the appliance assigns a similarity score of 82 to the user.
•
If the From: header is <john.simons@diff-example.com> and the content dictionary contains a user
‘John Simons,’ the appliance assigns a similarity score of 100 to the user.
‘John Simons,’ the appliance assigns a similarity score of 100 to the user.
The higher the similarity score, the higher the probability that the message is forged. If the similarity
score is greater than or equal to the specified threshold value, the filter action is triggered.
score is greater than or equal to the specified threshold value, the filter action is triggered.
For more information, see
Message Filter Syntax
<filter_name>: if (forged-email-detection(“<content_dictionary>”, threshold)) {<action>;}
Where:
•
filter_name
is the name of the message filter
•
content_dictionary
is the name of content dictionary
•
threshold
is the threshold value (1 through 100) for considering a message as potentially forged
Example
The following message filter compares the From: header in the message with the terms in dictionary and
if the similarity score of a user in the content dictionary is greater than or equal to 70, the message filter
strips the From: header and replaces it with the Envelope Sender.
if the similarity score of a user in the content dictionary is greater than or equal to 70, the message filter
strips the From: header and replaces it with the Envelope Sender.
FED_CF: if (forged-email-detection("Execs", 70)) { fed("from", ""); }
Duplicate Boundaries Verification Rule
You can use the
duplicate_boundaries
rule to detect messages that contain duplicate MIME
boundaries.
Note
Attachment-based rules (for example,
attachment-contains
) or actions (for example,
drop-attachments-where-contains
) will not work on malformed messages (with duplicate MIME
boundaries).
Message Filter Syntax
<filter_name>: if (duplicate_boundaries){<action>;}
Example
The following message filter will quarantine all the messages that contain duplicate MIME boundaries.
DuplicateBoundaries: if (duplicate_boundaries) { quarantine("Policy"); }