Cisco Cisco Email Security Appliance X1070 User Guide
6-28
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 6 Using Message Filters to Enforce Email Policies
Recipient Count Rule
The
rcpt-count
rule compares the number of recipients of a message against an integer value, in a
similar way to the
body-size
rule. This can be useful for preventing users from sending email to large
numbers of recipients at once, or for ensuring that such large mailing campaigns go out over a certain
Virtual Gateway address. The following example sends any email with more than 100 recipients over a
specific Virtual Gateway address:
Virtual Gateway address. The following example sends any email with more than 100 recipients over a
specific Virtual Gateway address:
Address Count Rule
The
addr-count()
message filter rule takes one or more header strings, counts the number of recipients
in each line and reports the cumulative number of recipients. This filter differs from the
rcpt-count
filter rule in that it operates on the message body headers instead of the envelope recipients. The
following example shows the filter rule used to replace a long list of recipients with the alias,
“undisclosed-recipients”:
following example shows the filter rule used to replace a long list of recipients with the alias,
“undisclosed-recipients”:
Body Scanning Rule
The
body-contains()
rule scans the incoming email and all its attachments for a particular pattern
defined by its parameter. This includes delivery-status parts and associated attachments. The
body-contains()
rule does not perform multi-line matching. The scanning logic can be modified using
the
scanconfig
command in the CLI to define which MIME types should or should not be scanned. You
can also specify a minimum number of matches that the scanning engine must find in order for the scan
to evaluate to true.
to evaluate to true.
By default, the system scans all attachments except for those with a MIME type of
video/*
,
audio/*
,
image/*
. The system scans archive attachments —
.zip
,
.bzip
,
.compress
,
.tar
, or
.gzip
attachments
containing multiple files. You can set the number of “nested” archived attachments to scan (for example,
a
a
.zip
contained within a
.zip
).
For more information, including an example of how to use the
scanconfig
command to set the
attachment scanning behavior, see
.
large_list_filter:
if (rcpt-count > 100) {
alt-src-host('mass_mailing_interface');
}
count: if (addr-count("To", "Cc") > 30) {
strip-header("To");
strip-header("Cc");
insert-header("To", "undisclosed-recipients");
}