Cisco Cisco Email Security Appliance C160 Mode D'Emploi
11-9
Cisco AsyncOS 9.1 for Email User Guide
Chapter 11 Content Filters
How Content Filters Work
Content Filter Actions
The action is what the Email Security appliance does with a message that matches the content filter’s
condition. Many different types of actions are available, including modifying the message, quarantining
it, or dropping it. A “final action” performed on a message, delivering or dropping it, forces the Email
Security appliance to perform the action immediately and forgo all further processing, such as Outbreak
Filter or DLP scanning.
condition. Many different types of actions are available, including modifying the message, quarantining
it, or dropping it. A “final action” performed on a message, delivering or dropping it, forces the Email
Security appliance to perform the action immediately and forgo all further processing, such as Outbreak
Filter or DLP scanning.
At least one action must be defined for each content filter.
Actions are performed in order on messages, so consider the order of actions when defining multiple
actions for a content filter.
actions for a content filter.
When you configure a quarantine action for messages that match Attachment Content conditions,
Message Body or Attachment conditions, Message body conditions, or the Attachment content
conditions, you can view the matched content in the quarantined message. When you display the
message body, the matched content is highlighted in yellow. You can also use the
Message Body or Attachment conditions, Message body conditions, or the Attachment content
conditions, you can view the matched content in the quarantined message. When you display the
message body, the matched content is highlighted in yellow. You can also use the
$MatchedContent
action variable to include the matched content in the message subject. For more information, see the Text
Resources chapter.
Resources chapter.
Remote IP
Was the message sent from a remote host that matches a given IP address
or IP block? The Remote IP rule tests to see if the IP address of the host
that sent that message matches a certain pattern. This can be an Internet
Protocol version 4 (IPv4) or version 6 (IPv6) address. The IP address
pattern is specified using the allowed hosts notation described in
or IP block? The Remote IP rule tests to see if the IP address of the host
that sent that message matches a certain pattern. This can be an Internet
Protocol version 4 (IPv4) or version 6 (IPv6) address. The IP address
pattern is specified using the allowed hosts notation described in
, except for the SBO, SBRS, dnslist notations and
the special keyword ALL.
Reputation Score
What is the sender’s SenderBase Reputation Score? The Reputation Score
rule checks the SenderBase Reputation Score against another value.
rule checks the SenderBase Reputation Score against another value.
DKIM Authentication
Did DKIM authentication pass, partially verify, return temporarily
unverifiable, permanently fail, or were no DKIM results returned?
unverifiable, permanently fail, or were no DKIM results returned?
SPF Verification
What was the SPF verification status? This filter rule allows you to query
for different SPF verification results. For more information about SPF
verification, see the “Email Authentication” chapter.
for different SPF verification results. For more information about SPF
verification, see the “Email Authentication” chapter.
S/MIME Gateway Message
Is the message S/MIME signed, encrypted, or signed and encrypted? For
more information, see
more information, see
S/MIME Gateway Verified
Is the S/MIME message successfully verified, decrypted, or decrypted and
verified? For more information, see
verified? For more information, see
Table 11-1
Content Filter Conditions (continued)
Condition
Description