Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
9-6
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Processing
Figure 9-1
Message with “Attachment”
Because the Cisco appliance makes this distinction between the body and the attachment in multipart
messages, there are several cases you should be aware of when using the
messages, there are several cases you should be aware of when using the
body-
variable or
attachment-
variable message filter rules in order to achieve the expected behavior:
•
If you have a message with a single text part—that is, a message containing a header of
“Content-Type: text/plain” or “Content-Type: text/html” — the Cisco appliance will consider the
entire message as the body. If the content type is anything different, the Cisco appliance considers
it to be a single attachment.
“Content-Type: text/plain” or “Content-Type: text/html” — the Cisco appliance will consider the
entire message as the body. If the content type is anything different, the Cisco appliance considers
it to be a single attachment.
•
Some encoded files (uuencoded, for example) are included in the body of the email message. When
this occurs, the encoded file is treated as an attachment, and it is extracted and scanned, while the
remaining text is considered to be the body of the text.
this occurs, the encoded file is treated as an attachment, and it is extracted and scanned, while the
remaining text is considered to be the body of the text.
•
A single, non-text part is always considered an attachment. For example, a message consisting of
only a.zip file is considered an attachment.
only a.zip file is considered an attachment.
Thresholds for Matches in Content Scanning
When you add filter rules that search for patterns in the message body or attachments, you can specify
the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the
message, it totals the “score” for the number of matches it finds in the message and attachments. If the
minimum threshold is not met, the regular expression does not evaluate to true. You can specify this
threshold for the following filter rules:
the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the
message, it totals the “score” for the number of matches it finds in the message and attachments. If the
minimum threshold is not met, the regular expression does not evaluate to true. You can specify this
threshold for the following filter rules:
•
body-contains
•
only-body-contains
•
attachment-contains
•
every-attachment-contains
•
dictionary-match
•
attachment-dictionary-match
You can also specify a threshold value for the
drop-attachments-where-contains
action.
Note
You cannot specify thresholds for filter rules that scan headers or envelope recipients and senders.
Related Topics
•
•
•