Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
9-16
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
Using Regular Expressions to Filter Messages
You can use filters to search for strings and patterns in non-ASCII encoded message content (both
headers and bodies). Specifically, the system supports regular expression (regex) searching for
non-ASCII character sets within:
headers and bodies). Specifically, the system supports regular expression (regex) searching for
non-ASCII character sets within:
•
Message headers
•
MIME attachment filename strings
•
Message body:
–
Bodies without MIME headers (i.e. traditional email)
Asterisk (
*
) directive
Rules containing an asterisk (
*
) match “zero or more matches of the
previous directive.” In particular, the sequence of a period and an
asterisk (
asterisk (
.*
) matches any sequence of characters (not containing a new
line).
For example, the regular expression
^P.*Piper$
matches all of these
strings:
PPiper
,
Peter Piper
,
P.Piper
,
and
Penelope Penny Piper
.
Backslash special characters (
\
)
The backslash character escapes special characters. Thus the sequence
\.
only matches a literal period, the sequence
\$
only matches a literal
dollar sign, and the sequence
\^
only matches a literal caret symbol.
For example, the regular expression
^ik\.ac\.uk$
only matches the
string
ik.ac.uk
.
Important Note: The backslash is also a special escape character for
the parser. As a result, if you want to include backslash in your regular
expression, you must use two backslashes — so that after parsing, only
one “real” backslash remains, which is then passed to the regular
expression system. So, if you wanted to match the example domain
above, you would enter
the parser. As a result, if you want to include backslash in your regular
expression, you must use two backslashes — so that after parsing, only
one “real” backslash remains, which is then passed to the regular
expression system. So, if you wanted to match the example domain
above, you would enter
^ik\\.ac\\.uk$
.
Case-insensitivity (
(?i)
)
The token
(?i)
that indicates the rest of the regular expression should
be treated in case-insensitive mode. Placing this token at the beginning
of a case-sensitive regular expression results in a completely
insensitive match.
of a case-sensitive regular expression results in a completely
insensitive match.
For example, the regular expression “
(?i)viagra
” matches
Viagra
,
vIaGrA
, and
VIAGRA
.
Number of repetitions
{min,max}
The regular expression notation that indicates the number of repetitions
of the previous token is supported.
of the previous token is supported.
For example, the expression “
fo{2,3}
” matches
foo
and
fooo
but not
fo
or
fofo
.
This statement:
if(header('To') == "^.{500,}")
looks for a “To”
header that has 500 or more characters in it.
Or (
|
)
Alternation, or the “or” operator. If A and B are regular expressions, the
expression “
expression “
A|B
” will match any string that matches either “A” or “B.”
For example, the expression “
foo|bar
” will match either
foo
or
bar
,
but not
foobar
.
Table 9-3
Regular Expression in Rules