Cisco Cisco Email Security Appliance C650 Guía Del Usuario
9-7
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Processing
Similarly, if you have multiple attachments, AsyncOS totals the scores for each attachment to determine
the score for matches. For example, you have an
the score for matches. For example, you have an
attachment-contains
filter rule with a threshold of 3.
You receive a message with two attachments, and each attachment contains two matches. AsyncOS
would score this message with four matches and determine that the threshold score has been met.
would score this message with four matches and determine that the threshold score has been met.
Threshold Scoring Multipart/Alternative MIME Parts
To avoid duplicate counting, if there are two representatives of the same content (plain text and HTML),
AsyncOS does not total the matches from the duplicate parts. Instead, it compares the matches in each
part and selects the highest value. AsyncOS would then add this value to the scores from other parts of
the multipart message to create a total score.
AsyncOS does not total the matches from the duplicate parts. Instead, it compares the matches in each
part and selects the highest value. AsyncOS would then add this value to the scores from other parts of
the multipart message to create a total score.
For example, you configure a
body-contains
filter rule and set the threshold to 4. You then receive a
message that contains both plain text, HTML and two attachments. The message would use the
following structure:
following structure:
The
body-contains
filter rule would determine the score for this message by first scoring the text/plain
and text/html parts of the message. It would then compare the results of these scores and select the
highest score from the results. Next, it would add this result to the score from each of the attachments to
determine the final score. Suppose the message has the following number of matches:
highest score from the results. Next, it would add this result to the score from each of the attachments to
determine the final score. Suppose the message has the following number of matches:
Because AsyncOS compares the matches for the text/plain and text/html parts, it returns a score of 3,
which does not meet the minimum threshold to trigger the filter rule.
which does not meet the minimum threshold to trigger the filter rule.
Threshold Scoring for Content Dictionaries
When you use a content dictionary, you can “weight” terms so that certain terms trigger filter actions
more easily. For example, you may want not want to trigger a message filter for the term, “bank.”
However, if the term, “bank” is combined with the term, “account,” and accompanied with an ABA
more easily. For example, you may want not want to trigger a message filter for the term, “bank.”
However, if the term, “bank” is combined with the term, “account,” and accompanied with an ABA
multipart/mixed
multipart/alternative
text/plain
text/html
application/octet-stream
application/octet-stream
multipart/mixed
multipart/alternative
text/plain (2 matches)
text/html (2 matches)
application/octet-stream (1 match)
application/octet-stream