This document describes the differences between the body-contains and attachment-contains filter rules on the Cisco Email Security Appliance (ESA).
What are the differences between the body-contains and attachment-contains filter rules?
Both the body-contains and the attachment-contains filter rules scan the content of a message; however, there are some differences.
The body-contains() filter rule scans the inbound email and all of its attachments for a particular pattern that is defined by its parameter. Unlike the other rules, it only operates in a unary form.
The scanning logic can be modified with the scanconfig command in the CLI in order to define the MIME types that should or should not be scanned. By default, the system scans all of the attachments except for those with a MIME type of video/*, audio/*, image/*, or anything that appears to be a PDF file.
The system scans the archive attachments, such as .zip or .gzip attachments that contain multiple files. You can set the number of nested, archived attachments to scan, such as a .zip that is contained within a .zip.
The attachment-contains filter rule is similar to the body-contains(), but it attempts to avoid scanning the entire body of the message. That is, it attempts to scan only that part that the user would view as being an attachment.