Cisco Cisco Email Security Appliance C160 Mode D'Emploi
9-31
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Attachment Filenames and Single Compressed Files within Archive Files
This example shows how to match single compressed files in archives such as those created by
gzip
:
DNS List Rule
The
dnslist()
rule queries a public DNS List server that uses the DNSBL method (sometimes called
“ip4r lookups”) of querying. The IP address of the incoming connection is reversed (so an IP of 1.2.3.4
becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate
the two is added if the server name does not start with one). A DNS query is made, and the system is
returned with either a DNS failure response (indicating the connection's IP address was not found in the
server's list) or an IP address (indicating that the address was found). The IP address returned is usually
of the form
becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate
the two is added if the server name does not start with one). A DNS query is made, and the system is
returned with either a DNS failure response (indicating the connection's IP address was not found in the
server's list) or an IP address (indicating that the address was found). The IP address returned is usually
of the form
127.0.0.
x where
x
can be almost any number from 0 to 255 (IP address ranges are not
allowed). Some servers actually return different numbers based on the reason for the listing, while others
return the same result for all matches.
return the same result for all matches.
Like the
header()
rule,
dnslist()
can be used in either a unary or binary comparison. By itself, it
simply evaluates to
true
if a response is received and
false
if no response is received (for example, if
the DNS server is unreachable).
the following filter immediately delivers a message if the sender has been bonded with the Cisco Bonded
Sender information services program:
Sender information services program:
Optionally, you can compare the result to a string using the equality (
==
) or inequality (
!=
) expressions.
The following filter drops a message that results in a “
127.0.0.2
” response from the server. If the
response is anything else, the rule returns “false” and the filter is ignored.
bounce();
}
quarantine_gzipped_exe_or_pif:
if (attachment-filename == '(?i)\\.(exe|pif)($|.gz$)') {
quarantine("Policy");
}
whitelist_bondedsender:
if (dnslist('query.bondedsender.org')) {
skip-filters();
}
blacklist:
if (dnslist('dnsbl.example.domain') == '127.0.0.2') {