Cisco Cisco Email Security Appliance C650 Guía Del Usuario
9-7
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Processing
•
Threshold Syntax
To specify a threshold for the minimum number of occurrences, specify the pattern and the minimum
number of matches required to evaluate to true:
number of matches required to evaluate to true:
For example, to specify that the
body-contains
filter rule must find the value “Company Confidential”
at least two times, use the following syntax:
By defeat, when AsyncOS saves a content scanning filter, it compiles the filter and assigns a threshold
value of 1, if you have not assigned a value.
value of 1, if you have not assigned a value.
You can also specify a minimum number of pattern matches for values in a content dictionary. For more
information about content dictionaries, see the “Text Resources” chapter.
information about content dictionaries, see the “Text Resources” chapter.
Threshold Scoring for Message Bodies and Attachments
An email message may be composed of multiple parts. When you specify threshold values for filter rules
that search for patterns in the message body or attachments, AsyncOS counts the number of matches in
the message parts and attachments to determine the threshold “score.” Unless the message filter specifies
a specific MIME part (such as the
that search for patterns in the message body or attachments, AsyncOS counts the number of matches in
the message parts and attachments to determine the threshold “score.” Unless the message filter specifies
a specific MIME part (such as the
attachment-contains
filter rule), AsyncOS will total the matches
found in all parts of the message to determine if the matches total the threshold value. For example, you
have a
have a
body-contains
message filter with a threshold of 2. You receive a message in which the body
contains one match, and the attachment contains one match. When AsyncOS scores this message, it
totals the two matches and determines that the threshold score has been met.
totals the two matches and determines that the threshold score has been met.
Similarly, if you have multiple attachments, AsyncOS totals the scores for each attachment to determine
the score for matches. For example, you have an
the score for matches. For example, you have an
attachment-contains
filter rule with a threshold of 3.
You receive a message with two attachments, and each attachment contains two matches. AsyncOS
would score this message with four matches and determine that the threshold score has been met.
would score this message with four matches and determine that the threshold score has been met.
Threshold Scoring Multipart/Alternative MIME Parts
To avoid duplicate counting, if there are two representatives of the same content (plain text and HTML),
AsyncOS does not total the matches from the duplicate parts. Instead, it compares the matches in each
part and selects the highest value. AsyncOS would then add this value to the scores from other parts of
the multipart message to create a total score.
AsyncOS does not total the matches from the duplicate parts. Instead, it compares the matches in each
part and selects the highest value. AsyncOS would then add this value to the scores from other parts of
the multipart message to create a total score.
For example, you configure a
body-contains
filter rule and set the threshold to 4. You then receive a
message that contains both plain text, HTML and two attachments. The message would use the
following structure:
following structure:
if(<filter rule>('<pattern>',<minimum threshold>)){
if(body-contains('Company Confidential',2)){
multipart/mixed
multipart/alternative