Cisco Cisco Email Security Appliance C160 Mode D'Emploi
9-8
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Processing
routing number, you may want to trigger a filter action. To accomplish this, you can use a weighted
dictionary to give increased importance to certain terms or a combination of terms. When a message
filter that uses a content dictionary scores the matches for filter rule, it uses these weights to determine
the final score. For example, suppose you create a content dictionary with the following contents and
weights:
dictionary to give increased importance to certain terms or a combination of terms. When a message
filter that uses a content dictionary scores the matches for filter rule, it uses these weights to determine
the final score. For example, suppose you create a content dictionary with the following contents and
weights:
When you associate this content dictionary with a
dictionary-match
or
attachment-dictionary-match
message filter rule, AsyncOS would add the weight for the term to the
total “score” for each instance of the matching term found in the message. For example, if the message
contains three instances of the term, “account” in the message body, AsyncOS would add a value of 6 to
the total score. If you set the threshold value for the message filter to 6, AsyncOS would determine that
the threshold score has been met. Or, if the message contained one instance of each term, the total value
would be 6, and this score would trigger the filter action.
contains three instances of the term, “account” in the message body, AsyncOS would add a value of 6 to
the total score. If you set the threshold value for the message filter to 6, AsyncOS would determine that
the threshold score has been met. Or, if the message contained one instance of each term, the total value
would be 6, and this score would trigger the filter action.
AND Test and OR Tests in Message Filters
When evaluating AND or OR tests within message filters, AsyncOS does not evaluate unneeded tests.
So, for example, if one side of an AND test is false, the system will not evaluate the other side. It is
important to note that the system does not evaluate the tests from left to right. Instead, when AND and
OR tests are evaluated, the least expensive test is evaluated first. For example, in the following filter, the
So, for example, if one side of an AND test is false, the system will not evaluate the other side. It is
important to note that the system does not evaluate the tests from left to right. Instead, when AND and
OR tests are evaluated, the least expensive test is evaluated first. For example, in the following filter, the
remote-ip
test will always be processed first because it has a lower cost than the
rcpt-to-group
test
(generally LDAP tests are more expensive):
Because the least expensive test is performed first, switching the order of the items in the test will have
no effect. If you want to guarantee the order in which tests are performed, use nested
no effect. If you want to guarantee the order in which tests are performed, use nested
if
statements. This
is also the best way to ensure that an expensive test is avoided whenever possible:
Table 9-1
Sample Content Dictionary
Term/Smart Identifier
Weight
ABA Routing Number
3
Account
2
Bank
1
andTestFilter:
if (remote-ip == "192.168.100.100" AND rcpt-to-group == "GROUP")
{ ... }
expensiveAvoid:
if (<simple tests>)
{ if (<expensive test>)
{ <action> }
}