Cisco Cisco Email Security Appliance C170 Guía Del Usuario
11-9
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 11 Content Filters
Content Filter Conditions
Remote IP
Was the message sent from a remote host that matches a given IP address
or IP block? The Remote IP rule tests to see if the IP address of the host
that sent that message matches a certain pattern. This can be an Internet
Protocol version 4 (IPv4) or version 6 (IPv6) address. The IP address
pattern is specified using the allowed hosts notation described in
or IP block? The Remote IP rule tests to see if the IP address of the host
that sent that message matches a certain pattern. This can be an Internet
Protocol version 4 (IPv4) or version 6 (IPv6) address. The IP address
pattern is specified using the allowed hosts notation described in
, except for the SBO, SBRS, dnslist notations and
the special keyword ALL.
Reputation Score
What is the sender’s SenderBase Reputation Score? The Reputation Score
rule checks the SenderBase Reputation Score against another value.
rule checks the SenderBase Reputation Score against another value.
DKIM Authentication
Did DKIM authentication pass, partially verify, return temporarily
unverifiable, permanently fail, or were no DKIM results returned?
unverifiable, permanently fail, or were no DKIM results returned?
Forged Email Detection
Is the sender address of the message forged? The rule checks if the From:
header in the message is similar to any of the users in the content
dictionary.
header in the message is similar to any of the users in the content
dictionary.
Select a content dictionary and enter the threshold value (1 through 100)
for considering a message as potentially forged.
for considering a message as potentially forged.
The Forged Email Detection condition compares the From: header with the
users in the content dictionary. During this process, depending on the
similarity, the appliance assigns similarity score to each of the users in the
dictionary. The following are some examples:
users in the content dictionary. During this process, depending on the
similarity, the appliance assigns similarity score to each of the users in the
dictionary. The following are some examples:
•
If the From: header is <j0hn.sim0ns@example.com> and the content
dictionary contains a user ‘John Simons,’ the appliance assigns a
similarity score of 82 to the user.
dictionary contains a user ‘John Simons,’ the appliance assigns a
similarity score of 82 to the user.
•
If the From: header is <john.simons@diff-example.com> and the
content dictionary contains a user ‘John Simons,’ the appliance
assigns a similarity score of 100 to the user.
content dictionary contains a user ‘John Simons,’ the appliance
assigns a similarity score of 100 to the user.
The higher the similarity score, the higher the probability that the message
is forged. If the similarity score is greater than or equal to the specified
threshold value, the filter action is triggered.
is forged. If the similarity score is greater than or equal to the specified
threshold value, the filter action is triggered.
For more information, see
.
SPF Verification
What was the SPF verification status? This filter rule allows you to query
for different SPF verification results. For more information about SPF
verification, see the “Email Authentication” chapter.
for different SPF verification results. For more information about SPF
verification, see the “Email Authentication” chapter.
Note
If you have configured an SPF verification content filter condition
without an SPF identity and if a message contains different SPF
identities with different verdicts, the condition is triggered if one
of the verdicts in the message matches the condition.
without an SPF identity and if a message contains different SPF
identities with different verdicts, the condition is triggered if one
of the verdicts in the message matches the condition.
S/MIME Gateway Message
Is the message S/MIME signed, encrypted, or signed and encrypted? For
more information, see
more information, see
S/MIME Gateway Verified
Is the S/MIME message successfully verified, decrypted, or decrypted and
verified? For more information, see
verified? For more information, see
Table 11-1
Content Filter Conditions (continued)
Condition
Description