Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

Because the Cisco appliance makes this distinction between the body and the attachment in multipart 
messages, there are several cases you should be aware of when using the 

body-

variable or 

attachment-

variable message filter rules in order to achieve the expected behavior:

If you have a message with a single text part—that is, a message containing a header of 
“Content-Type: text/plain” or “Content-Type: text/html” — the Cisco appliance will consider the 
entire message as the body. If the content type is anything different, the Cisco appliance considers 
it to be a single attachment.

Some encoded files (uuencoded, for example) are included in the body of the email message. When 
this occurs, the encoded file is treated as an attachment, and it is extracted and scanned, while the 
remaining text is considered to be the body of the text. 

A single, non-text part is always considered an attachment. For example, a message consisting of 
only a.zip file is considered an attachment.

When you add filter rules that search for patterns in the message body or attachments, you can specify 
the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the 
message, it totals the “score” for the number of matches it finds in the message and attachments. If the 
minimum threshold is not met, the regular expression does not evaluate to true. You can specify this 
threshold for the following filter rules:

body-contains

only-body-contains

attachment-contains

every-attachment-contains

dictionary-match

attachment-dictionary-match

You can also specify a threshold value for the 

drop-attachments-where-contains

 action.

You cannot specify thresholds for filter rules that scan headers or envelope recipients and senders.