Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

An email message may be composed of multiple parts. When you specify 
threshold values for filter rules that search for patterns in the message body or 
attachments, AsyncOS counts the number of matches in the message parts and 
attachments to determine the threshold “score.” Unless the message filter 
specifies a specific MIME part (such as the 

attachment-contains

 filter rule), 

AsyncOS will total the matches found in all parts of the message to determine if 
the matches total the threshold value. For example, you have a 

body-contains

 

message filter with a threshold of 2. You receive a message in which the body 
contains one match, and the attachment contains one match. When AsyncOS 
scores this message, it totals the two matches and determines that the threshold 
score has been met. 

Similarly, if you have multiple attachments, AsyncOS totals the scores for each 
attachment to determine the score for matches. For example, you have an 

attachment-contains 

filter rule with a threshold of 3. You receive a message 

with two attachments, and each attachment contains two matches. AsyncOS 
would score this message with four matches and determine that the threshold 
score has been met. 

To avoid duplicate counting, if there are two representatives of the same content 
(plain text and HTML), AsyncOS does not total the matches from the duplicate 
parts. Instead, it compares the matches in each part and selects the highest value. 
AsyncOS would then add this value to the scores from other parts of the multipart 
message to create a total score. 

For example, you configure a 

body-contains

 filter rule and set the threshold to 4. 

You then receive a message that contains both plain text, HTML and two 
attachments.   The message would use the following structure:

multipart/mixed

        multipart/alternative

                text/plain

                text/html