$To
|
Replaced by the message To: header (not the Envelope
Recipient).
|
$From
|
Replaced by the message From: header (not the Envelope Sender).
|
$Subject
|
Replaced by the subject of the original message.
|
$Date
|
Replaced by the current date, using the format MM/DD/YYYY.
|
$Time
|
Replaced by the current time, in the local time zone.
|
$GMTimestamp
|
Replaced by the current time and date, as would be found in the
Received: line of an email message, using GMT.
|
$MID
|
Replaced by the Message ID, or “MID” used internally to
identify the message. Not to be confused with the RFC822 “Message-Id” value
(use $Header to retrieve that).
|
$Group
|
Replaced by the name of the sender group the sender matched on
when injecting the message. If the sender group had no name, the string
“>Unknown<” is inserted.
|
$Policy
|
Replaced by the name of the HAT policy applied to the sender
when injecting the message. If no predefined policy name was used, the string
“>Unknown<” is inserted.
|
$Reputation
|
Replaced by the SenderBase Reputation score of the sender. If
there is no reputation score, it is replaced with “None”.
|
$filenames
|
Replaced with a comma-separated list of the message’s
attachments’ filenames.
|
$filetypes
|
Replaced with a comma-separated list of the message's
attachments' file types.
|
$filesizes
|
Replaced with a comma-separated list of the message’s
attachment’s file sizes.
|
$remotehost
|
Replaced by the hostname of the system that sent the message to
the Email Security appliance.
|
$AllHeaders
|
Replaced by the message headers.
|
$EnvelopeFrom
|
Replaced by the Envelope Sender (Envelope From, <MAIL
FROM>) of the message.
|
$Hostname
|
Replaced by the hostname of the Email Security appliance.
|
$header[‘string ’]
|
Replaced by the value of the quoted header, if the original
message contains a matching header. Note that double quotes may also be used.
|
$enveloperecipients
|
Replaced by all Envelope Recipients (Envelope To, <RCPT
TO>) of the message.
|
$bodysize
|
Replaced by the size, in bytes, of the message.
|
$FilterName
|
Returns the name of the filter being processed.
|
$MatchedContent
|
Returns the content that triggered a scanning filter rule
(including filter rules such as body-contains and content dictionaries).
|
$DLPPolicy
|
Replaced by the name of the email DLP policy violated.
|
$DLPSeverity
|
Replaced by the severity of violation. Can be “Low,” “Medium,”
“High,” or “Critical.”
|
$DLPRiskFactor
|
Replaced by the risk factor of the message’s sensitive material
(score 0 - 100).
|
$threat_category
|
Replaced with the type of Outbreak Filters threat, such as
phishing, virus, scam, or malware.
|
$threat_type
|
Replaced by a subcategory of the Outbreak Filters threat
category. For example, can be a charity scam, a financial phishing attempt, a
fake deal, etc.
|
$threat_description
|
Replaced by a description of the Outbreak Filters threat.
|
$threat_level
|
Replaced by the message’s threat level (score 0 - 5).
|
$threat_verdict
|
Replaced by Yes or No, depending on the Message Modification
Threat Level threshold. If the viral or non-viral threat level of a message is
greater than or equal to the message modification threat level threshold, the
value of this variable is set to Yes.
|