Cisco Cisco Email Security Appliance X1050 Information Guide
How do I write more efficient message filters?
Document ID: 117886
Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.
Jul 08, 2014
Contents
Question
Question
How do I write more efficient message filters?
As message filters get longer, they can affect the performance characteristics of your ESA. For small numbers
of filters or short filters, efficiency is not a significant concern. However, when constructing longer filters or if
your implementation has many filters, you should be mindful of the relative efficiency of certain operations.
of filters or short filters, efficiency is not a significant concern. However, when constructing longer filters or if
your implementation has many filters, you should be mindful of the relative efficiency of certain operations.
When passing messages through the message pipeline, all message filters are combined into a single
expression that is evaluated in an atomic way against each message. This means that the ordering of filters is
very important, and can short−circuit further evaluation of the combined expression. For example, if you have
a number of filters that will apply to messages, but one filter will apply very frequently and have a final action
deliver(), bounce(), or drop() associated with it, that filter should be moved as early in the list as possible.
expression that is evaluated in an atomic way against each message. This means that the ordering of filters is
very important, and can short−circuit further evaluation of the combined expression. For example, if you have
a number of filters that will apply to messages, but one filter will apply very frequently and have a final action
deliver(), bounce(), or drop() associated with it, that filter should be moved as early in the list as possible.
Although the ESA is very efficient in its processing of regular expressions, you can abuse the regular
expression engine in such a way as to cause additional or unnecessary processing. Each evaluation of a regular
expression takes roughly the same amount of resources, which means that reducing the number of expressions
you evaluate will yield greater efficiency. For example, in the following filter, the regular expressions in each
"drop−attachments−by−name" are all evaluated individually, meaning that the regular expression evaluation
occurs 7 times when comparing the attachment name against the pattern in the drop−attachments−by−name:
expression engine in such a way as to cause additional or unnecessary processing. Each evaluation of a regular
expression takes roughly the same amount of resources, which means that reducing the number of expressions
you evaluate will yield greater efficiency. For example, in the following filter, the regular expressions in each
"drop−attachments−by−name" are all evaluated individually, meaning that the regular expression evaluation
occurs 7 times when comparing the attachment name against the pattern in the drop−attachments−by−name:
strip_all_dangerous: if (true) {
drop−attachments−by−name('(?i)\\.pif$');
drop−attachments−by−name('(?i)\\.exe$');
drop−attachments−by−name('(?i)\\.scr$');
drop−attachments−by−name('(?i)\\.msi$');
drop−attachments−by−name('(?i)\\.java$');
drop−attachments−by−name('(?i)\\.dll$');
drop−attachments−by−name('(?i)\\.com$');
}
In the following example, the results are equivalent, but the example is much more efficient, causing only a
single regular expression evaluation:
single regular expression evaluation:
strip_all_dangerous: if (true) {
drop−attachments−by−name('(?i)\\.(pif|exe|scr|msi|java|dll|com)$');
}
Although the second regular expression is more complex than the seven ones in the first filter, it is much more