Cisco Cisco Email Security Appliance C160 Mode D'Emploi
9-47
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
In this example, if the first nine messages processed by this filter are signed messages with identical
subject, the Header Repeats rule will not process these messages. If the tenth message is an unsigned
message with identical subject header as the previous nine messages, the filter will not perform the
configured action, even though the threshold has reached.
subject, the Header Repeats rule will not process these messages. If the tenth message is an unsigned
message with identical subject header as the previous nine messages, the filter will not perform the
configured action, even though the threshold has reached.
Examples
In the following example, at any given point in time, if the filter detects
X
or more incoming messages
with identical subject in the last one hour, the subsequent messages with identical subject are sent to
Policy quarantine.
Policy quarantine.
In the following example, at any given point in time, if the filter detects
X
or more outgoing messages
from same envelope sender in the last one hour, the subsequent messages from the same envelope sender
are dropped and discarded.
are dropped and discarded.
In the following example, at any given point in time, if the filter detects
X
or more incoming or outgoing
messages with identical subject in the last one hour, the administrator is notified for every subsequent
message with identical subject.
message with identical subject.
URL Reputation Rules
Use a URL reputation rule to define message actions based on the reputation score of any URL in the
message. For important details, see
message. For important details, see
in
For these rules:
•
msg_filter_name
: is the name of this message filter.
•
whitelist
is the name of a defined URL list (via the
urllistconfig
command.) Specifying a
whitelist is optional.
To take action when the reputation service provides a score:
Use the
url-reputation
rule.
Filter syntax when using a
url-reputation
rule is:
<msg_filter_name>:
if url-reputation(<min_score>, <max_score>, '<whitelist>')
{<action>}
Where:
•
min_score
and
max_score
are the minimum and maximum scores in the range for which the action
should apply. The values that you specify are included in the range.
Minimum and maximum scores must be between
-10.0
and
10.0
.
f1 : if header-repeats('subject', X, 'incoming') { quarantine('Policy');}
f2 : if header-repeats('mail-from', X, 'outgoing') {drop();}
f3: if header-repeats('subject', X) {notify('admin@xyz.com');}