Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
6-70
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 6 Using Message Filters to Enforce Email Policies
message had a zip attachment that contained a JPEG image, the log entry would contain the name of the
zip file rather than the name of the JPEG. Also, if the zip file included multiple images then the log entry
would include the maximum score of all the images. The unscannable notation indicates whether any of
the images were unscannable.
zip file rather than the name of the JPEG. Also, if the zip file included multiple images then the log entry
would include the maximum score of all the images. The unscannable notation indicates whether any of
the images were unscannable.
The log does not contain information about how the scores translate to a particular verdict (clean, suspect
or inappropriate). However, because you can use mail logs to track the delivery of specific messages,
you can determine by the actions performed on the messages whether the mail contained inappropriate
or suspect images.
or inappropriate). However, because you can use mail logs to track the delivery of specific messages,
you can determine by the actions performed on the messages whether the mail contained inappropriate
or suspect images.
For example, the following mail log shows attachments dropped by message filter rules as a result of
Image Analysis scanning:
Image Analysis scanning:
Using the Image Analysis Message Filter
Once you enable image analysis, you must create a message filter to perform different actions for
different message verdicts. For example, you may wish to deliver messages with a clean verdict, but
quarantine messages that are determined to have inappropriate content.
different message verdicts. For example, you may wish to deliver messages with a clean verdict, but
quarantine messages that are determined to have inappropriate content.
Note
Cisco recommends you do not drop or bounce messages with inappropriate or suspect verdicts. Instead,
send copies of violations to a quarantine for later review and better understanding of trend analysis.
send copies of violations to a quarantine for later review and better understanding of trend analysis.
The following filter shows messages tagged if the content is inappropriate or suspect:
Thu Apr 3 08:17:56 2009 Debug: MID 154 IronPort Image Analysis: image 'Unscannable.jpg'
is unscannable.
Thu Apr 3 08:17:56 2009 Info: MID 154 IronPort Image Analysis: attachment
'Unscannable.jpg' score 0 unscannable
Thu Apr 3 08:17:56 2009 Info: MID 6 rewritten to MID 7 by
drop-attachments-where-image-verdict filter 'f-001'
Thu Apr 3 08:17:56 2009 Info: Message finished MID 6 done
image_analysis: if image-verdict == "inappropriate" {
strip-header("Subject");
insert-header("Subject", "[inappropriate image] $Subject");
}
else {
if image-verdict == "suspect" {
strip-header("Subject");
insert-header("Subject", "[suspect image] $Subject");