Guest

Cisco Email Security Appliance

How do I write more efficient message filters?

Document ID: 117886

Updated: Jul 08, 2014

Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.

   Print

Question

How do I write more efficient message filters?

As message filters get longer, they can affect the performance characteristics of your ESA. For small numbers of filters or short filters, efficiency is not a significant concern. However, when constructing longer filters or if your implementation has many filters, you should be mindful of the relative efficiency of certain operations.

When passing messages through the message pipeline, all message filters are combined into a single expression that is evaluated in an atomic way against each message. This means that the ordering of filters is very important, and can short-circuit further evaluation of the combined expression. For example, if you have a number of filters that will apply to messages, but one filter will apply very frequently and have a final action deliver(), bounce(), or drop() associated with it, that filter should be moved as early in the list as possible.

Although the ESA is very efficient in its processing of regular expressions, you can abuse the regular expression engine in such a way as to cause additional or unnecessary processing. Each evaluation of a regular expression takes roughly the same amount of resources, which means that reducing the number of expressions you evaluate will yield greater efficiency. For example, in the following filter, the regular expressions in each "drop-attachments-by-name" are all evaluated individually, meaning that the regular expression evaluation occurs 7 times when comparing the attachment name against the pattern in the drop-attachments-by-name:

strip_all_dangerous: if (true) {
drop-attachments-by-name('(?i)\\.pif$');
drop-attachments-by-name('(?i)\\.exe$');
drop-attachments-by-name('(?i)\\.scr$');
drop-attachments-by-name('(?i)\\.msi$');
drop-attachments-by-name('(?i)\\.java$');
drop-attachments-by-name('(?i)\\.dll$');
drop-attachments-by-name('(?i)\\.com$');
}

In the following example, the results are equivalent, but the example is much more efficient, causing only a single regular expression evaluation:

strip_all_dangerous: if (true) {
drop-attachments-by-name('(?i)\\.(pif|exe|scr|msi|java|dll|com)$');
}

Although the second regular expression is more complex than the seven ones in the first filter, it is much more efficient to evaluate one complex regular expression than seven simple ones.

However, this technique must be balanced against the cost of maintaining such a filter.

Updated: Jul 08, 2014
Document ID: 117886