Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
9-34
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Message Filter Rules
•
If an attachment is an archive, the Cisco appliance will harvest the filenames from inside the archive,
and apply scan configuration rules (see
and apply scan configuration rules (see
) accordingly.
–
If the attachment is a single compressed file (despite the file extension), it is not considered an
archive and the filename of the compressed file is not harvested. This means that the file is not
processed by the
archive and the filename of the compressed file is not harvested. This means that the file is not
processed by the
attachment-filename
rule. An example of this type of file is an executable
file (.exe) compressed with
gzip
.
–
For attachments consisting of a single compressed file, such as foo.exe.gz, use regular
expression to search for specific file types within compressed files. See
expression to search for specific file types within compressed files. See
.
See
for more information on message filter rules you can use to
manipulate attachments to messages.
The following filter checks all email sent through the listener, and if a message contains an attachment
with a filename
with a filename
*.mp3
, the message is bounced:
Related Topics
•
Attachment Filenames and Single Compressed Files within Archive Files
This example shows how to match single compressed files in archives such as those created by
gzip
:
DNS List Rule
The
dnslist()
rule queries a public DNS List server that uses the DNSBL method (sometimes called
“ip4r lookups”) of querying. The IP address of the incoming connection is reversed (so an IP of 1.2.3.4
becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate
the two is added if the server name does not start with one). A DNS query is made, and the system is
returned with either a DNS failure response (indicating the connection's IP address was not found in the
server's list) or an IP address (indicating that the address was found). The IP address returned is usually
of the form
becomes 4.3.2.1) and then added as a prefix to the server name in the parenthesis (a period to separate
the two is added if the server name does not start with one). A DNS query is made, and the system is
returned with either a DNS failure response (indicating the connection's IP address was not found in the
server's list) or an IP address (indicating that the address was found). The IP address returned is usually
of the form
127.0.0.
x where
x
can be almost any number from 0 to 255 (IP address ranges are not
allowed). Some servers actually return different numbers based on the reason for the listing, while others
return the same result for all matches.
return the same result for all matches.
block_mp3s:
if (attachment-filename == '(?i)\\.mp3$') {
bounce();
}
quarantine_gzipped_exe_or_pif:
if (attachment-filename == '(?i)\\.(exe|pif)($|.gz$)') {
quarantine("Policy");
}