Guest

Cisco Email Security Appliance

ESA FAQ: What are the differences between the body-contains and attachment-contains filter rules on the ESA?

Document ID: 117856

Updated: Jun 26, 2014

Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.

   Print

Introduction

This document describes the differences between the body-contains and attachment-contains filter rules on the Cisco Email Security Appliance (ESA).

What are the differences between the body-contains and attachment-contains filter rules?

Both the body-contains and the attachment-contains filter rules scan the content of a message; however, there are some differences.  

body-contains

The body-contains() filter rule scans the inbound email and all of its attachments for a particular pattern that is defined by its parameter. Unlike the other rules, it only operates in a unary form.

The scanning logic can be modified with the scanconfig command in the CLI in order to define the MIME types that should or should not be scanned. By default, the system scans all of the attachments except for those with a MIME type of video/*, audio/*, image/*, or anything that appears to be a PDF file.

The system scans the archive attachments, such as .zip or .gzip attachments that contain multiple files. You can set the number of nested, archived attachments to scan, such as a .zip that is contained within a .zip.

attachment-contains

The attachment-contains filter rule is similar to the body-contains(), but it  attempts to avoid scanning the entire body of the message. That is, it attempts to scan only that part that the user would view as being an attachment.

Updated: Jun 26, 2014
Document ID: 117856