Cisco Cisco Email Security Appliance C650 Guía Del Usuario
9-46
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Header Repeats Rule
The Header Repeats rule evaluates to
true
if at a given point in time, a specified number of messages:
•
With same subject are detected in the last one hour.
•
From same envelope sender are detected in the last one hour.
You can use this rule to detect high volume emails. For example, political campaigns through certain
websites may send out emails to organizations in high volumes. Anti-spam engines treat such emails as
clean, and do not stop the delivery of these emails.
websites may send out emails to organizations in high volumes. Anti-spam engines treat such emails as
clean, and do not stop the delivery of these emails.
The syntax of this rule is
header-repeats (<target>, <threshold> [, <direction>])
, where:
•
<target>
is
subject
or
mail-from
. AsyncOS counts the repetition of values of the target.
•
<threshold>
is the number of messages with identical values for a given target, received in the last
one hour, beyond which the rule evaluates to true.
•
<direction>
is
incoming
,
outgoing
, or both. If direction is not specified in this rule, incoming or
outgoing messages are counted for rule evaluation.
Every time when a Header Repeats rule evaluates to
true
, a System Alert is sent. See
Note
If the header field includes comma or semi-colon separated values, the rule considers the complete string
for tracking. This rule ignores messages with empty subject header.
for tracking. This rule ignores messages with empty subject header.
The Header Repeats rule maintains a moving sum of messages with up to one minute’s precision. As a
result, after the set threshold has reached, there can be a delay of one minute before this rule is triggered.
result, after the set threshold has reached, there can be a delay of one minute before this rule is triggered.
Related Topics
•
•
Using Header Repeats Rule with Other Rules
You can use the Header Repeats rule with other rules using AND or OR operators. For example, you can
whitelist a subset of messages using the following filter:
whitelist a subset of messages using the following filter:
When you use a Header Repeats rule with another rule using AND or OR operators, the Header Repeats
rule is evaluated last, and only if needed. If a Header Repeats rule is not evaluated for a given message,
rule is evaluated last, and only if needed. If a Header Repeats rule is not evaluated for a given message,
subject
or
mail-from
is not counted to compare with the supplied threshold.
As Header Repeats rule is evaluated last and only if needed, the behavior of this rule may vary when
used with other rules using an OR operator. The following sample filter uses an OR condition of Signed
and Header Repeats rule.
used with other rules using an OR operator. The following sample filter uses an OR condition of Signed
and Header Repeats rule.
F1: if (recv_listener == 'Gray') AND (header-repeats('subject', X, 'incoming') {
drop();}
f1: if signed OR (header-repeats('subject', 10)) { drop();}