Cisco Cisco Email Security Appliance C650 Guía Del Usuario
Chapter 6 Using Message Filters to Enforce Email Policies
6-306
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Threshold Scoring for Message Bodies and Attachments
An email message may be composed of multiple parts. When you specify
threshold values for filter rules that search for patterns in the message body or
attachments, AsyncOS counts the number of matches in the message parts and
attachments to determine the threshold “score.” Unless the message filter
specifies a specific MIME part (such as the
threshold values for filter rules that search for patterns in the message body or
attachments, AsyncOS counts the number of matches in the message parts and
attachments to determine the threshold “score.” Unless the message filter
specifies a specific MIME part (such as the
attachment-contains
filter rule),
AsyncOS will total the matches found in all parts of the message to determine if
the matches total the threshold value. For example, you have a
the matches total the threshold value. For example, you have a
body-contains
message filter with a threshold of 2. You receive a message in which the body
contains one match, and the attachment contains one match. When AsyncOS
scores this message, it totals the two matches and determines that the threshold
score has been met.
contains one match, and the attachment contains one match. When AsyncOS
scores this message, it totals the two matches and determines that the threshold
score has been met.
Similarly, if you have multiple attachments, AsyncOS totals the scores for each
attachment to determine the score for matches. For example, you have an
attachment to determine the score for matches. For example, you have an
attachment-contains
filter rule with a threshold of 3. You receive a message
with two attachments, and each attachment contains two matches. AsyncOS
would score this message with four matches and determine that the threshold
score has been met.
would score this message with four matches and determine that the threshold
score has been met.
Threshold Scoring Multipart/Alternative MIME Parts
To avoid duplicate counting, if there are two representatives of the same content
(plain text and HTML), AsyncOS does not total the matches from the duplicate
parts. Instead, it compares the matches in each part and selects the highest value.
AsyncOS would then add this value to the scores from other parts of the multipart
message to create a total score.
(plain text and HTML), AsyncOS does not total the matches from the duplicate
parts. Instead, it compares the matches in each part and selects the highest value.
AsyncOS would then add this value to the scores from other parts of the multipart
message to create a total score.
For example, you configure a
body-contains
filter rule and set the threshold to 4.
You then receive a message that contains both plain text, HTML and two
attachments. The message would use the following structure:
attachments. The message would use the following structure:
multipart/mixed
multipart/alternative
text/plain
text/html