Cisco Cisco Email Security Appliance C160 Mode D'Emploi
9-46
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
•
<direction>
is
incoming
,
outgoing
, or both. If direction is not specified in this rule, incoming or
outgoing messages are counted for rule evaluation.
Every time when a Header Repeats rule evaluates to
true
, a System Alert is sent. See
Note
If the header field includes comma or semi-colon separated values, the rule considers the complete string
for tracking. This rule ignores messages with empty subject header.
for tracking. This rule ignores messages with empty subject header.
The Header Repeats rule maintains a moving sum of messages with up to one minute’s precision. As a
result, after the set threshold has reached, there can be a delay of one minute before this rule is triggered.
result, after the set threshold has reached, there can be a delay of one minute before this rule is triggered.
Related Topics
•
•
Using Header Repeats Rule with Other Rules
You can use the Header Repeats rule with other rules using AND or OR operators. For example, you can
whitelist a subset of messages using the following filter:
whitelist a subset of messages using the following filter:
When you use a Header Repeats rule with another rule using AND or OR operators, the Header Repeats
rule is evaluated last, and only if needed. If a Header Repeats rule is not evaluated for a given message,
rule is evaluated last, and only if needed. If a Header Repeats rule is not evaluated for a given message,
subject
or
mail-from
is not counted to compare with the supplied threshold.
As Header Repeats rule is evaluated last and only if needed, the behavior of this rule may vary when
used with other rules using an OR operator. The following sample filter uses an OR condition of Signed
and Header Repeats rule.
used with other rules using an OR operator. The following sample filter uses an OR condition of Signed
and Header Repeats rule.
In this example, if the first nine messages processed by this filter are signed messages with identical
subject, the Header Repeats rule will not process these messages. If the tenth message is an unsigned
message with identical subject header as the previous nine messages, the filter will not perform the
configured action, even though the threshold has reached.
subject, the Header Repeats rule will not process these messages. If the tenth message is an unsigned
message with identical subject header as the previous nine messages, the filter will not perform the
configured action, even though the threshold has reached.
Examples
In the following example, at any given point in time, if the filter detects
X
or more incoming messages
with identical subject in the last one hour, the subsequent messages with identical subject are sent to
Policy quarantine.
Policy quarantine.
F1: if (recv_listener == 'Gray') AND (header-repeats('subject', X, 'incoming') {
drop();}
f1: if signed OR (header-repeats('subject', 10)) { drop();}
f1 : if header-repeats('subject', X, 'incoming') { quarantine('Policy');}