Subject Header
|
subject
|
Does the subject header match a certain pattern? See Subject Rule.
|
Body Size
|
body-size
|
Is the body size within some range? See Body Size Rule.
|
Envelope Sender
|
mail-from
|
Does the Envelope Sender (i.e., the Envelope From, <MAIL FROM>) match a given pattern? See Envelope Sender Rule.
|
Envelope Sender in Group
|
mail-from-group
|
Is the Envelope Sender (i.e., the Envelope From, <MAIL FROM>) in a given LDAP group? See Envelope Sender in Group Rule.
|
Sender Group
|
sendergroup
|
Which sender group was matched in a listener's Host Access Table (HAT)? See Sender Group Rule.
|
Envelope Recipient
|
rcpt-to
|
Does the Envelope Recipient, (i.e. the Envelope To, <RCPT TO>) match a given pattern? See Envelope Recipient Rule.
Note
|
The rcpt-to rule is message-based. If a message has multiple recipients, only one recipient has to match the rule for the specified action
to affect the message to all recipients.
|
|
Envelope Recipient in Group
|
rcpt-to-group
|
Is the Envelope Recipient, (i.e. the Envelope To, <RCPT TO>) in a given LDAP group? See Envelope Recipient in Group Rule.
Note
|
The rcpt-to-group rule is message-based. If a message has multiple recipients, only one recipient has to be found in a group for The rcptthe
specified action to affect the message to all recipients.
|
|
Remote IP
|
remote-ip
|
Was the message sent from a remote host that matches a given IP address or IP block? See Remote IP Rule.
|
Receiving Interface
|
recv-int
|
Did the message arrive via the named receiving interface? See .Receiving IP Interface Rule
|
Receiving Listener
|
recv-listener
|
Did the message arrive via the named listener? See Receiving Listener Rule.
|
Date
|
date
|
Is current time before or after a specific time and date? See Date Rule.
|
Header
|
header(<string>)
|
Does the message contain a specific header? Does the value of that header match a certain pattern? See Header Rule.
|
Random
|
random(<integer>)
|
Is a random number in some range? See Random Rule.
|
Recipient Count
|
rcpt-count
|
How many recipients is this email going to? See Recipient Count Rule.
|
Address Count
|
addr-count()
|
What is the cumulative number of recipients?
This filter differs from the rcpt-count filter rule in that it operates on the message body headers instead of the envelope
recipients. See Address Count Rule.
|
SPF Status
|
spf-status
|
What was the SPF verification status? This filter rule allows you to query for different SPF verification results. You can
enter a different action for each valid SPF/SIDF return value. See SPF-Status Rule.
|
SPF Passed
|
spf-passed
|
Did the SPF/SIDF verification pass? This filter rule generalizes the SPF/SIDF results as a Boolean value. See SPF-Passed Rule.
|
S/MIME Gateway Message
|
smime-gateway
|
Is the message S/MIME signed, encrypted, or signed and encrypted? See S/MIME Gateway Message Rule
|
S/MIME Gateway Verified
|
smime-gateway-verified
|
Is the S/MIME message successfully verified, decrypted, or decrypted and verified? See S/MIME Gateway Verified Rule.
|
Image verdict
|
image-verdict
|
What was the image scanning verdict? This filter rule allows you to query for different image analysis verdicts. See Image Analysis.
|
Workqueue count
|
workqueue-count
|
Is the work queue count equal to, less than, or greater than the specified value? See Workqueue-count Rule.
|
Body Scanning
|
body-contains(
<regular expression>)
|
Does the message contain text or an attachment that matches a specified pattern? Does the pattern occur the minimum number
of times you specified for the threshold value?
The engine scans delivery-status parts and associated attachments.
See Body Scanning.
|
Body Scanning
|
only-body-contains
(<regular expression>)
|
Does the message body contain text that matches a specified pattern? Does the pattern occur the minimum number of times you
specified for the threshold value? Attachments are not scanned. See Body Scanning Rule.
|
Encryption Detection
|
encrypted
|
Is the message encrypted? See Encryption Detection Rule.
|
Attachment Filename
|
attachment-filename
|
Does the message contain an attachment with a filename that matches a specific pattern? See Attachment Filename Rule.
|
Attachment Type
|
attachment-type
|
Does the message contain an attachment of a particular MIME type? See Attachment Type Rule.
|
Attachment File Type
|
attachment-filetype
|
Does the message contain an attachment of a file type that matches a specific pattern based on its fingerprint (similar to
a UNIX file command)? If the attachment is an Excel or Word document, you can also search for the following embedded file types: .exe
, .dll, .bmp, .tiff, .pcx, .gif, .jpeg, png, and Photoshop images.
You must enclose the file type in quotes to create a valid filter. You can use single or double quotes. For example, to search
for .exe attachments, use the following syntax:
if (attachment-filetype == "exe")
For more information, see Attachment Filenames and Single Compressed Files within Archive Files.
|
Attachment MIME Type
|
attachment-mimetype
|
Does the message contain an attachment of a specific MIME type? This rule is similar to the attachment-type rule, except only the MIME type given by the MIME attachment is evaluated. (The appliance
does not try to “guess” the type of the file by its extension if there is no explicit type given.) See Examples of Attachment Scanning Message Filters.
|
Attachment Protected
|
attachment-protected
|
Does the message contain an attachment that is password protected? See Quarantining Protected Attachments.
|
Attachment Unprotected
|
attachment-unprotected
|
The attachment-unprotected filter condition returns true if the scanning engine detects an attachment that is unprotected.
A file is considered unprotected if the scanning engine was able to read the attachment. A zip file is considered to be unprotected
if any of its members is unprotected.
Note — The attachment-unprotected filter condition is not mutually exclusive of the attachment-protected filter condition. It is
possible for both filter conditions to return true when scanning the same attachment. This can occur, for example, if a zip
file contains both protected and unprotected members.
See Detecting Unprotected Attachments.
|
Attachment Scanning
|
attachment-contains
(<regular expression>)
|
Does the message contain an attachment that contains text or another attachment that matches a specific pattern? Does the
pattern occur the minimum number of times you specified for the threshold value?
This rule is similar to the body-contains() rule, but it attempts to avoid scanning the entire “body” of the message. That is, it attempts to scan only that which the
user would view as being an attachment. See Examples of Attachment Scanning Message Filters.
|
Attachment Scanning
|
attachment-binary-contains
(<regular expression>)
|
Does the message contain an attachment with binary data that matches a specific pattern?
This rule is like the attachment-contains () rule, but it searches specifically for patterns in the binary data.
|
Attachment Scanning
|
every-attachment-contains
(<regular expression>)
|
Do all of the attachments in this message contain text that matches a specific pattern? The text must exist in all attachments
and the action performed is, in effect, a logical AND operation of an ' attachment-contains() ' for each attachment. The body is not scanned. Does the pattern occur the minimum number of times you specified for the
threshold value?
See Examples of Attachment Scanning Message Filters.
|
Attachment Size
|
attachment-size
|
Does the message contain an attachment whose size is within some range? This rule is similar to the body-size rule, but it attempts to avoid scanning the entire “body” of the message. That is, it attempts to scan only that which the
user would view as being an attachment. The size is evaluated prior to any decoding. See Examples of Attachment Scanning Message Filters.
|
Public Blocked lists
|
dnslist(<query server>)
|
Does the sender’s IP address appear on a public blocked list server (RBL)? See DNS List Rule.
|
IP Reputation
|
reputation
|
What is the sender’s IP Reputation Score? See IP Reputation Rule.
|
No IP Reputation
|
no-reputation
|
Used to test if IP Reputation Score is “None.” See IP Reputation Rule.
|
Dictionary
|
dictionary-match
(<dictionary_name>)
|
Does the message body contain any of the regular expressions or terms in the content dictionary named dictionary_name ? Does the pattern occur the minimum number of times you specified for the threshold value? See Dictionary Rules.
|
Attachment Dictionary Match
|
attachment-dictionary-match
(<dictionary_name>)
|
Does the attachment contain any of the regular expressions in the content dictionary named dictionary_name ? Does the pattern occur the minimum number of times you specified for the threshold value? See Dictionary Rules.
|
Subject Dictionary Match
|
subject-dictionary-match
(<dictionary_name>)
|
Does the Subject header contain any of the regular expressions or terms in the content dictionary named dictionary name ? See Dictionary Rules.
|
Header Dictionary Match
|
header-dictionary-match
(<dictionary_name>,
<header>)
|
Does the specified header (case insensitive) contain any of the regular expressions or terms in the content dictionary named
dictionary name ? See Dictionary Rules.
|
Body Dictionary Match
|
body-dictionary-match
(<dictionary_name>)
|
This filter condition returns true if the dictionary term matches content in the body of the message only. The filter searches
for terms within the MIME parts not considered to be an attachment. and it returns true if the user-defined threshold is met
(the default threshold value is one). See Dictionary Rules.
|
Envelope Recipient Dictionary Match
|
rcpt-to-dictionary-match
(<dictionary_name>)
|
Does the envelope recipient contain any of the regular expressions or terms in the content dictionary named dictionary name ? See Dictionary Rules.
|
Envelope Sender Dictionary Match
|
mail-from-dictionary-match
(<dictionary_name>)
|
Does the envelope sender contain any of the regular expressions or terms in the content dictionary named dictionary name ? See Dictionary Rules.
|
SMTP Authenticated User Match
|
smtp-auth-id-matches
(<target>[, <sieve-char>])
|
Does the address of the Envelope Sender and the address in message header match the authenticated SMTP user ID of the sender?
See SMTP Authenticated User Match Rule.
|
True
|
true
|
Matches all messages. See True Rule.
|
Valid
|
valid
|
Returns false if the message contains unparsable/invalid MIME parts and true otherwise. See Valid Rule.
|
Signed
|
signed
|
Is the message is signed? See Signed Rule.
|
Signed Certificate
|
signed-certificate
(<field> [<operator>
<regular expression>])
|
Does the message signer or X.509 certificate issuer match a certain pattern? See Signed Certificate Rule.
|
Header Repeats
|
header-repeats (<target>,
<threshold> [, <direction>])
|
Returns true if at a given point in time, a specified number of messages:
See Header Repeats Rule.
|
URL Reputation
|
url-reputation
url-no-reputation
|
Is the reputation score of any URL in the message within the specified range?
Is a reputation score for a URL unavailable?
See URL Reputation Rules and Configuring Email Gateway to Consume External Threat Feeds.
|
URL Category
|
url-category
|
Does the category of any URL in the message match the specified categories?
See URL Category Rule.
|
Corrupt Attachment
|
attachment-corrupt
|
Does this message have an attachment that is corrupt?
See Corrupt Attachment Rule.
|
Message Language
|
message-language
|
Is the message (subject and body) in one of the selected languages?
See Message Language Rule.
|
Macro Detection
|
macro-detection-rule
([‘file_type-1', 'file_type-2',
…,'file_type-n'])
|
Does the incoming or outgoing message contain macro-enabled attachments?
See Macro Detection Rule
|
Forged Email Detection
|
forged-email-detection
("<dictionary_name>",
<threshold>)
|
Is the sender address of the message forged? The rule checks if the From: header in the message is similar to any of the
users in the content dictionary.
See Forged Email Detection Rule.
|
Duplicate Boundaries Verification
|
duplicate_boundaries
|
Does the message contain duplicate MIME boundaries?
See Duplicate Boundaries Verification Rule.
|
Malformed MIME Header Detection
|
malformed-header
|
Does the message contain malformed MIME headers?
See Malformed MIME Header Detection Rule.
|
Geolocation
|
geolocation-rule
(['country_name-1',
'country_name-2',
'country_name-n'])
|
Does the incoming message originate from the selected countries?
Note
|
Enable the Anti-Spam engine on your appliance before you use the Geolocation message filter rule.
|
See Geolocation Rule.
|
Domain Reputation
|
Sender Domain Reputation:
- sdr-reputation
(<‘sdr_verdict_range'>,
<‘domain_exception
_list'>)
- sdr-age (<‘unit'>,
<‘operator'>
<‘actual value’>)
- sdr-unscannable
(<'domain_exception
_list'>)
External Threat Feeds:
domain-external-
threat-feeds
(<'external_threat_
feed_source_name'>,
<'header'> , <'domain
_exception_list'>)
|
Does the sender domain match the specified criteria?
-
Sender Domain Reputation
-
External Threat Feeds
See Domain Reputation Rule for ETF or Domain Reputation Rule for SDR.
For more information, see the Configuring Email Gateway to Consume External Threat Feeds or Sender Domain Reputation Filtering.
|