(no
conditions)
|
Specifying
conditions in content filters is optional. If no conditions are specified, a
true rule is implied. The true rule matches all messages, and the actions are
always performed.
|
Message Body
or Attachments
|
Contains text:
Does the message body contain text or an attachment that matches a specific
pattern?
Contains smart identifier: Does content in the message body or attachment match a smart identifier?
- Credit card numbers
- U.S. Social Security numbers
- CUSIP (Committee on Uniform Security Identification Procedures) numbers
- ABA (American Banking Association) routing numbers
Contains term in content
dictionary: Does the message body contain any of the regular
expressions or terms in the content dictionary named <dictionary name> ?
For this
option to be enabled, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
Number of matches
required. Specify the number of matches required for the rule to
evaluate to true. You can specify this threshold for text, smart identifiers,
or content dictionary terms.
This includes
delivery-status parts and associated attachments.
|
Message Body
|
Contains text:
Does the message body contain text that matches a specific pattern?
Contains smart
identifier: Does content in the message body match a smart
identifier? Smart identifiers can detect the following patterns:
-
Credit card numbers
-
U.S. Social Security numbers
-
CUSIP (Committee on Uniform Security Identification Procedures) numbers
-
ABA (American Banking Association) routing numbers
Contains term in content
dictionary: Does the message body contain any of the regular
expressions or terms in the content dictionary named <dictionary name> ?
For this
option to be enabled, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
Number of matches
required. Specify the number of matches required for the rule to
evaluate to true. You can specify this threshold for text or smart identifiers.
This rule
applies to the body of the message only. It does not include attachments or
headers.
|
URL Category
|
See
Filtering by URL Reputation or URL Category: Conditions and Rules
and
About URL Categories.
|
Message Size
|
Is the body
size within a specified range? Body size refers to the size of the message,
including both headers and attachments. The body-size rule selects those
messages where the body size compares as directed to a specified number.
|
Macro
Detection
|
Does the
incoming or outgoing message contain macro-enabled attachments?
You can use
the Macro Detection condition to detect macro-enabled attachments in messages
for the selected file type(s).
|
Attachment
Content
|
Contains text.
Does the message contain an attachment that contains
text or another attachment that matches a specific pattern? This rule is
similar to the body-contains() rule, but it attempts to avoid scanning the
entire “body” of the message. That is, it attempts to scan only that which the
user would view as being an attachment.
Contains a smart
identifier. Does content in the message attachment match the
specified smart identifier?
Contains terms in content
dictionary. Does the attachment contain any of the regular
expressions or terms in the content dictionary named <dictionary name> ?
To search for
dictionary terms, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
Number of matches
required. Specify the number of matches required for the rule to
evaluate to true. You can specify this threshold for text, smart identifier, or
content dictionary matches.
|
Attachment
File Info
|
Filename.
Does the message have an attachment with a filename
that matches a specific pattern?
Filename contains term in
content dictionary. Does the message have an attachment with a
filename that contains any of the regular expressions or terms in the content
dictionary named <dictionary name> ?
For this
option to be enabled, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
File type. Does
the message have an attachment of a file type that matches a specific pattern
based on its fingerprint (similar to a UNIX file command)?
MIME type. Does the message have an attachment of a specific MIME type? This rule is similar to the attachment-type rule, except only
the MIME type given by the MIME attachment is evaluated. (The
email gateway does not try to “guess” the type of the file by its extension if there is no explicit type given.)
File Hash List. Does the message have an attachment that matches a specific file SHA-256 value? Select the required file hash list from the
drop-down list.
Note
|
You can only select a file hash list that contains the SHA-256 file hash type.
|
Image Analysis.
Does the message have an image attachment that
matches the image verdict specified? Valid image analysis verdicts include:
Suspect,
Inappropriate, Suspect or Inappropriate, Unscannable , or
Clean.
External Threat Feeds: Does the file match the threat information from the selected external threat feed source(s)?
Select a File Hash Exception List: (Optional) Select the list of allow listed file hashes that you do not want the
email gateway to detect for threats.
For more information, see Configuring Email Gateway to Consume External Threat Feeds.
Attachment is
Corrupt. Does this message have an attachment that is corrupt?
Note
|
A
corrupt attachment is an attachment that the scanning engine cannot scan and
identified as corrupt.
|
|
Attachment
Protection
|
Contains an attachment that
is password-protected or encrypted.
(For
example, use this condition to identify attachments that are potentially
unscannable.)
Contains an attachment that
is NOT password-protected or encrypted.
|
Subject
Header
|
Subject Header:
Does the subject header match a certain pattern?
Contains terms in content
dictionary: Does the subject header contain any of the regular
expressions or terms in the content dictionary <dictionary name> ?
To search
for dictionary terms, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
|
Other
Header
|
Header name:
Does the message contain a specific header?
Header value:
Does the value of that header match a certain
pattern?
Header value contains terms
in the content dictionary. Does the specified header contain any of
the regular expressions or terms in the content dictionary named <dictionary name> ?
To search
for dictionary terms, the dictionary must already have been created. See
Content Dictionaries
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
For an
example showing how this option can be used, see
Using Custom Headers to Redirect URLs in Suspected Spam to the Cisco Web Security Proxy: Configuration Example.
|
Envelope
Sender
|
Envelope
Sender. Does the Envelope Sender (i.e., the Envelope From, <MAIL
FROM>) match a given pattern?
Matches LDAP
group. Is the Envelope Sender, i.e., the Envelope From, <MAIL
FROM>) in a given LDAP group?
Contains term in content
dictionary. Does the envelope sender contain any of the regular
expressions or terms in the content dictionary named <dictionary name> ?
To search
for dictionary terms, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
|
|
Envelope
Recipient
|
Envelope
Recipient. Does the Envelope Recipient, (i.e. the Envelope To,
<RCPT TO>) match a given pattern?
Matches LDAP
group. Is the Envelope Recipient, (i.e. the Envelope To, <RCPT
TO>) in a given LDAP group?
Contains term in content
dictionary. Does the envelope recipient contain any of the regular
expressions or terms in the content dictionary named <dictionary name> ?
To search
for dictionary terms, the dictionary must already have been created. See
Content Dictionaries.
Note
|
The
dictionary-related conditions are only available if you have one or more
dictionaries enabled. For information about creating content dictionaries, see
Content Dictionaries.
The
Envelope Recipient rule is message-based. If a message has multiple recipients,
only one recipient has to be found in a group for the specified action to
affect the message to all recipients.
|
Is the
Envelope Sender (i.e., the Envelope From, <MAIL FROM>) in a given LDAP
group?
|
Receiving
Listener
|
Did the
message arrive via the named listener? The listener name must be the name of a
listener currently configured on the system.
|
Remote IP
|
Was the message sent from a remote host that matches a given IP address or IP block? The Remote IP rule tests to see if the
IP address of the host that sent that message matches a certain pattern. This can be an Internet Protocol version 4 (IPv4)
or version 6 (IPv6) address. The IP address pattern is specified using the allowed hosts notation described in Sender Group Syntax, except for the SBO, IPR, dnslist notations and the special keyword ALL.
|
Reputation
Score
|
What is the sender’s IP Reputation Score? The Reputation Score rule checks the IP Reputation Score against another value.
|
DKIM
Authentication
|
Did DKIM
authentication pass, partially verify, return temporarily unverifiable,
permanently fail, or were no DKIM results returned?
|
Forged
Email Detection
|
Is the
sender address of the message forged? The rule checks if the From: header in
the message is similar to any of the users in the content dictionary.
Select a
content dictionary and enter the threshold value (1 through 100) for
considering a message as potentially forged.
The Forged Email Detection condition compares the From: header with the users in the content dictionary. During this process,
depending on the similarity, the
email gateway assigns similarity score to each of the users in the dictionary. The following are some examples:
- If the From: header is <j0hn.sim0ns@example.com> and the content dictionary contains a user ‘John Simons,’ the
email gateway assigns a similarity score of 82 to the user.
- If the From: header is <john.simons@diff-example.com> and the content dictionary contains a user ‘John Simons,’ the
email gateway assigns a similarity score of 100 to the user.
The higher
the similarity score, the higher the probability that the message is forged. If
the similarity score is greater than or equal to the specified threshold value,
the filter action is triggered.
If you want to skip the Forged email detection filter for messages from specific senders, choose the address list from the
Exception List drop-down list.
For more
information, see
Forged Email Detection.
|
SPF
Verification
|
What was
the SPF verification status? This filter rule allows you to query for different
SPF verification results. For more information about SPF verification, see the
“Email Authentication” chapter.
Note
|
If you
have configured an SPF verification content filter condition without an SPF
identity and if a message contains different SPF identities with different
verdicts, the condition is triggered if one of the verdicts in the message
matches the condition.
|
|
S/MIME
Gateway Message
|
Is the
message S/MIME signed, encrypted, or signed and encrypted? For more
information, see
S/MIME Security Services
|
S/MIME
Gateway Verified
|
Is the
S/MIME message successfully verified, decrypted, or decrypted and verified? For
more information, see
S/MIME Security Services
|
Message
Language
|
Is the
message (subject and body) in one of the selected languages? This condition
will not check for the language in attachments and headers.
How does language detection
work?
The
email gateway uses the built-in language detection engine to detect the language in a message. The email gateway extracts the subject and the message body and passes it to the language detection engine.
The language detection engine determines the probability of each language in the extracted text and passes it back to the
email gateway. The
email gateway considers the language with the highest probability as the language of the message. The
email gateway considers the language of the message as ‘undetermined’ in one of the following scenarios:
- If the detected language is not supported by
email gateway
- If the
email gateway is unable to detect the language of the message
- If the total size of the
extracted text sent to the language detection engine is less than 50 bytes.
|
Duplicate
Boundaries Verification
|
Does the
message contain duplicate MIME boundaries?
If you want
to take actions on messages that contain duplicate MIME boundaries, use this
condition.
Note
|
Attachment-based conditions (for example, Attachment Content) or actions (for
example, Strip Attachment by Content) will not work on malformed messages (with
duplicate MIME boundaries).
|
|
Geolocation
|
Does the message originate from the selected countries?
You can use the Geolocation condition to handle incoming messages from particular countries that you select.
Note
|
Enable the Anti-Spam engine on your
email gateway before you use the Geolocation content filter.
|
|
Domain Reputation
|
Does the sender domain match the specified criteria?
-
Sender Domain Reputation
-
External Threat Feeds
For more information, see Configuring Email Gateway to Consume External Threat Feeds or Sender Domain Reputation Filtering
|