Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
9-28
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Address Count Rule
The
addr-count()
message filter rule takes one or more header strings, counts the number of recipients
in each line and reports the cumulative number of recipients. This filter differs from the
rcpt-count
filter rule in that it operates on the message body headers instead of the envelope recipients. The
following example shows the filter rule used to replace a long list of recipients with the alias,
“undisclosed-recipients”:
following example shows the filter rule used to replace a long list of recipients with the alias,
“undisclosed-recipients”:
Body Scanning Rule
The
body-contains()
rule scans the incoming email and all its attachments for a particular pattern
defined by its parameter. This includes delivery-status parts and associated attachments. The
body-contains()
rule does not perform multi-line matching. The scanning logic can be modified using
the
scanconfig
command in the CLI to define which MIME types should or should not be scanned. You
can also specify a minimum number of matches that the scanning engine must find in order for the scan
to evaluate to true.
to evaluate to true.
By default, the system scans all attachments except for those with a MIME type of
video/*
,
audio/*
,
image/*
. The system scans archive attachments —
.zip
,
.bzip
,
.compress
,
.tar
, or
.gzip
attachments
containing multiple files. You can set the number of “nested” archived attachments to scan (for example,
a
a
.zip
contained within a
.zip
).
For more information, including an example of how to use the
scanconfig
command to set the
attachment scanning behavior, see
.
Body Scanning
When AsyncOS performs body scanning, it scans the body text and attachments for the regular
expression. You can assign a minimum threshold value for the expression, and if the scanning engine
encounters the regular expression the minimum number of times, the expression evaluates to
expression. You can assign a minimum threshold value for the expression, and if the scanning engine
encounters the regular expression the minimum number of times, the expression evaluates to
true
.
AsyncOS evaluates the different MIME parts of the message, and it scans any MIME part that is textual.
AsyncOS identifies the text parts if the MIME type specifies text in the first part. AsyncOS determines
the encoding based on the encoding specified in the message, and it converts the text to Unicode. It then
searches for the regular expression in Unicode space. If no encoding is specified in the message,
AsyncOS uses the encoding you specify in the
AsyncOS identifies the text parts if the MIME type specifies text in the first part. AsyncOS determines
the encoding based on the encoding specified in the message, and it converts the text to Unicode. It then
searches for the regular expression in Unicode space. If no encoding is specified in the message,
AsyncOS uses the encoding you specify in the
scanconfig
command.
For more information about how AsyncOS evaluates MIME parts when scanning messages, see
.
If the MIME part is not textual, AsyncOS extract files from a .zip or .tar archive or decompresses
compressed files. After extracting the data, a scanning engine identifies the encoding for the file and
returns the data from the file in Unicode. AsyncOS then searches for the regular expression in Unicode
space.
compressed files. After extracting the data, a scanning engine identifies the encoding for the file and
returns the data from the file in Unicode. AsyncOS then searches for the regular expression in Unicode
space.
count: if (addr-count("To", "Cc") > 30) {
strip-header("To");
strip-header("Cc");
insert-header("To", "undisclosed-recipients");
}