Cisco Cisco Email Security Appliance C190 Guía Del Usuario
6-31
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 6 Using Message Filters to Enforce Email Policies
•
If an attachment is an archive, the Cisco IronPort appliance will harvest the filenames from inside
the archive and apply
the archive and apply
scanconfig
rules (see
accordingly.
–
If the attachment is a single compressed file (despite the file extension), it is not considered an
archive and the filename of the compressed file is not harvested. This means that the file is not
processed by the
archive and the filename of the compressed file is not harvested. This means that the file is not
processed by the
attachment-filename
rule. An example of this type of file is an executable
file (.exe) compressed with
gzip
.
–
For attachments consisting of a single compressed file, such as foo.exe.gz, use regular
expression to search for specific file types within compressed files. See
expression to search for specific file types within compressed files. See
See
for more information on message filter rules you can use to
manipulate attachments to messages.
The following filter checks all email sent through the listener, and if a message contains an attachment
with a filename
with a filename
*.mp3
, the message is bounced:
Attachment Filenames and Single Compressed Files within Archive Files
This example shows how to match single compressed files in archives such as those created by
gzip
:
DNS List Rule
The
dnslist()
rule queries a public DNS List server that uses the DNSBL method (sometimes called
“ip4r lookups”) of querying. The IP address of the incoming connection is reversed (so an IP of 1.2.3.4
becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate
the two is added if the server name does not start with one). A DNS query is made, and the system is
returned with either a DNS failure response (indicating the connection's IP address was not found in the
server's list) or an IP address (indicating that the address was found). The IP address returned is usually
of the form
becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate
the two is added if the server name does not start with one). A DNS query is made, and the system is
returned with either a DNS failure response (indicating the connection's IP address was not found in the
server's list) or an IP address (indicating that the address was found). The IP address returned is usually
of the form
127.0.0.
x where
x
can be almost any number from 0 to 255 (IP address ranges are not
allowed). Some servers actually return different numbers based on the reason for the listing, while others
return the same result for all matches.
return the same result for all matches.
Like the
header()
rule,
dnslist()
can be used in either a unary or binary comparison. By itself, it
simply evaluates to
true
if a response is received and
false
if no response is received (for example, if
the DNS server is unreachable).
block_mp3s:
if (attachment-filename == '(?i)\\.mp3$') {
bounce();
}
quarantine_gzipped_exe_or_pif:
if (attachment-filename == '(?i)\\.(exe|pif)($|.gz$)') {
quarantine("Policy");
}