Cisco Cisco Email Security Appliance C160 Mode D'Emploi
9-6
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Processing
Thresholds for Matches in Content Scanning
When you add filter rules that search for patterns in the message body or attachments, you can specify
the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the
message, it totals the “score” for the number of matches it finds in the message and attachments. If the
minimum threshold is not met, the regular expression does not evaluate to true. You can specify this
threshold for the following filter rules:
the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the
message, it totals the “score” for the number of matches it finds in the message and attachments. If the
minimum threshold is not met, the regular expression does not evaluate to true. You can specify this
threshold for the following filter rules:
•
body-contains
•
only-body-contains
•
attachment-contains
•
every-attachment-contains
•
dictionary-match
•
attachment-dictionary-match
You can also specify a threshold value for the
drop-attachments-where-contains
action.
Note
You cannot specify thresholds for filter rules that scan headers or envelope recipients and senders.
Threshold Syntax
To specify a threshold for the minimum number of occurrences, specify the pattern and the minimum
number of matches required to evaluate to true:
number of matches required to evaluate to true:
For example, to specify that the
body-contains
filter rule must find the value “Company Confidential”
at least two times, use the following syntax:
By defeat, when AsyncOS saves a content scanning filter, it compiles the filter and assigns a threshold
value of 1, if you have not assigned a value.
value of 1, if you have not assigned a value.
You can also specify a minimum number of pattern matches for values in a content dictionary. For more
information about content dictionaries, see the “Text Resources” chapter.
information about content dictionaries, see the “Text Resources” chapter.
Threshold Scoring for Message Bodies and Attachments
An email message may be composed of multiple parts. When you specify threshold values for filter rules
that search for patterns in the message body or attachments, AsyncOS counts the number of matches in
the message parts and attachments to determine the threshold “score.” Unless the message filter specifies
a specific MIME part (such as the
that search for patterns in the message body or attachments, AsyncOS counts the number of matches in
the message parts and attachments to determine the threshold “score.” Unless the message filter specifies
a specific MIME part (such as the
attachment-contains
filter rule), AsyncOS will total the matches
found in all parts of the message to determine if the matches total the threshold value. For example, you
have a
have a
body-contains
message filter with a threshold of 2. You receive a message in which the body
contains one match, and the attachment contains one match. When AsyncOS scores this message, it
totals the two matches and determines that the threshold score has been met.
totals the two matches and determines that the threshold score has been met.
if(<filter rule>('<pattern>',<minimum threshold>)){
if(body-contains('Company Confidential',2)){