Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide

Contributed by Scott Roeder and Enrico Werner, Cisco TAC Engineers.

Jul 08, 2014

How do I block recipient address with wildcards?

If you want to block mail to a recipient and specify the recipient address with a wildcard, you must use a
message or content filter. Filters allow you to use regular expressions to match the sender or recipient
addresses.

The ESA uses Python regular expressions.  A simple wildcard construct is ".*", which will match zero or
more characters up to a new line.  The "." matches any single character, and the "*" matches the previous
expression zero or more times in a row.  Let's say you want to match recipients helpmail1, helpmail2,
helpmail3, @example.com.  A filter expression to match these is

"^helpmail.*@example\\.com$"

The ^ matches beginning of line and the $ matches end of line, which limits the match to only
helpmail*@scu.com, but will not match myhelpmail@scu.com, or helpmail@scu.com.au.   "\\" is an escape
before the ".", so it will be taken literally. You can then use this regular expression in a message filter:

DropHelpmail

if (rcpt−to == "^helpmail.*@example\\.com$") 

  drop();

}

You can also create this as a content filter, simply by choosing 'contains' and entering the regular expression
into the condition window:

Updated: Jul 08, 2014

Document ID: 117888