Cisco Cisco Email Security Appliance C160 Mode D'Emploi

The following example inserts a new header if the certificate issuer is from the US:

The following example notifies an administrator if the signer is not from example.com:

The following example adds a header if the message has an X.509 certificate:

The following example adds a header if the message’s certificate does not have a signer:

The Header Repeats rule evaluates to 

true

 if at a given point in time, a specified number of messages:

With same subject are detected in the last one hour.

From same envelope sender are detected in the last one hour.

You can use this rule to detect high volume emails. For example, political campaigns through certain 
websites may send out emails to organizations in high volumes. Anti-spam engines treat such emails as 
clean, and do not stop the delivery of these emails.

The syntax of this rule is 

header-repeats (<target>, <threshold> [, <direction>])

, where:

<target>

 is 

subject

 or 

mail-from

. AsyncOS counts the repetition of values of the target.

<threshold>

 is the number of messages with identical values for a given target, received in the last 

one hour, beyond which the rule evaluates to true.

Issuer: if signed-certificate("issuer") == "(?i)C=US" {

    insert-header("X-Test", "US issuer");

}

NotOurSigners: if signed-certificate("signer") AND

      signed-certificate("signer") != "example\\.com$" {

    notify("admin@example.com");

}

AnyX509: if signed-certificate ("issuer") {

    insert-header("X-Test", "X.509 present");

}

NoSigner: if not signed-certificate ("signer") {

    insert-header("X-Test", "Old X.509?");

}