Cisco Cisco Email Security Appliance X1070 Information Guide

Result: What this is doing is creating an Incoming Policy for domains you want to block/drop. You're
basically creating a separate path for these emails and then simply dropping them.

You may alternatively create a message filter from the CLI to block one or more email addresses.

From the CLI, perform similar: 

Machine_name> filters 

Choose the operation you want to perform:

− NEW − Create a new filter.

− DELETE − Remove a filter.

− IMPORT − Import a filter script from a file.

− EXPORT − Export filters to a file

− MOVE − Move a filter to a different position.

− SET − Set a filter attribute.

− LIST − List the filters.

− DETAIL − Get detailed information on the filters.

− LOGCONFIG − Configure log subscriptions used by filters.

− ROLLOVERNOW − Roll over a filter log file.

[]> new

Enter filter script.  Enter '.' on its own line to end. 

BlockEmail: if(mail−from == "(?i)user1@example\\.com$") {

drop();

}

.

1 filters added.

Although you can type the filter in directly, most customers will keep it in a text editor on their desktop and
use copy and paste to create it. In the example above you would paste from the name (BlockEmail) through
the ending dot. 

To block multiple users from the same domain, replace the "if" line with:

if(mail−from == "(?i)(user1|user2|user3)@example\\.com$") 

To block multiple users from multiple domains, replace the "if" line with:

if(mail−from == "(?i)(user1@example1\\.com|user2@example2\\.com)$") 

Note: This filter uses a drop action.  Be careful to avoid loss of good email! It is highly recommended that you
test first with one of these actions instead of the drop action:

To send message(s) to the policy quarantine: 

quarantine("Policy");

To send message(s) to an alternate email address:  

alt−rcpt−to(some_email_address@yourdomain.com);

Either one of these actions would replace the "drop();" action line in the message filter example above.

Updated: Oct 10, 2014

Document ID: 118551