Cisco Cisco Email Security Appliance C680 User Guide
9-46
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Using Header Repeats Rule with Other Rules
You can use the Header Repeats rule with other rules using AND or OR operators. For example, you can
whitelist a subset of messages using the following filter:
whitelist a subset of messages using the following filter:
When you use a Header Repeats rule with another rule using AND or OR operators, the Header Repeats
rule is evaluated last, and only if needed. If a Header Repeats rule is not evaluated for a given message,
rule is evaluated last, and only if needed. If a Header Repeats rule is not evaluated for a given message,
subject
or
mail-from
is not counted to compare with the supplied threshold.
As Header Repeats rule is evaluated last and only if needed, the behavior of this rule may vary when
used with other rules using an OR operator. The following sample filter uses an OR condition of Signed
and Header Repeats rule.
used with other rules using an OR operator. The following sample filter uses an OR condition of Signed
and Header Repeats rule.
In this example, if the first nine messages processed by this filter are signed messages with identical
subject, the Header Repeats rule will not process these messages. If the tenth message is an unsigned
message with identical subject header as the previous nine messages, the filter will not perform the
configured action, even though the threshold has reached.
subject, the Header Repeats rule will not process these messages. If the tenth message is an unsigned
message with identical subject header as the previous nine messages, the filter will not perform the
configured action, even though the threshold has reached.
Examples
In the following example, at any given point in time, if the filter detects
X
or more incoming messages
with identical subject in the last one hour, the subsequent messages with identical subject are sent to
Policy quarantine.
Policy quarantine.
In the following example, at any given point in time, if the filter detects
X
or more outgoing messages
from same envelope sender in the last one hour, the subsequent messages from the same envelope sender
are dropped and discarded.
are dropped and discarded.
In the following example, at any given point in time, if the filter detects
X
or more incoming or outgoing
messages with identical subject in the last one hour, the administrator is notified for every subsequent
message with identical subject.
message with identical subject.
URL Category Rule
Use URL categories to define message actions based on the category of URLs in the message. For
important details, see
important details, see
in
Filter syntax when using a
url-category
rule is:
F1: if (recv_listener == 'Gray') AND (header-repeats('subject', X, 'incoming') {
drop();}
f1: if signed OR (header-repeats('subject', 10)) { drop();}
f1 : if header-repeats('subject', X, 'incoming') { quarantine('Policy');}
f2 : if header-repeats('mail-from', X, 'outgoing') {drop();}
f3: if header-repeats('subject', X) {notify('admin@xyz.com');}