Cisco Cisco Email Security Appliance C650 Guía Del Usuario
Chapter 6 Using Message Filters to Enforce Email Policies
6-320
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Using Regular Expressions to Filter Messages
You can use filters to search for strings and patterns in non-ASCII encoded
message content (both headers and bodies). Specifically, the system supports
regular expression (regex) searching for non-ASCII character sets within:
message content (both headers and bodies). Specifically, the system supports
regular expression (regex) searching for non-ASCII character sets within:
•
Message headers
•
MIME attachment filename strings
•
Message body:
–
Bodies without MIME headers (i.e. traditional email)
–
Bodies with MIME headers indicating encoding but no MIME parts
–
Multi-part MIME messages with encoding indicated
–
All of the above without the encoding specified in a MIME header
You can use regular expressions (regexes) to match on any part of the message or
body, including matching attachments. The various attachment types include text,
HTML, MS Word, Excel, and others. Examples of character sets of interest
include gb2312, HZ, EUC, JIS, Shift-JIS, Big5, and Unicode. Message filter rules
with regular expressions can be created through the content filter GUI (see “Email
Security Manager” in the Cisco IronPort AsyncOS for Email Configuration
body, including matching attachments. The various attachment types include text,
HTML, MS Word, Excel, and others. Examples of character sets of interest
include gb2312, HZ, EUC, JIS, Shift-JIS, Big5, and Unicode. Message filter rules
with regular expressions can be created through the content filter GUI (see “Email
Security Manager” in the Cisco IronPort AsyncOS for Email Configuration
Number of repetitions
{min,max}
The regular expression notation that indicates the
number of repetitions of the previous token is
supported.
number of repetitions of the previous token is
supported.
For example, the expression “
fo{2,3}
” matches
foo
and
fooo
but not
fo
or
fofo
.
This statement:
if(header('To') ==
"^.{500,}")
looks for a “To” header that has 500 or
more characters in it.
Or (
|
)
Alternation, or the “or” operator. If A and B are regular
expressions, the expression “
expressions, the expression “
A|B
” will match any string
that matches either “A” or “B.”
For example, the expression “
foo|bar
” will match
either
foo
or
bar
, but not
foobar
.
Table 6-3
Regular Expression in Rules