简介
您可能会发现某些垃圾邮件发送者会发送大量邮件,其中没有任何附件,以便通过反垃圾邮件扫描。如果它们可以发送大于ESA反垃圾邮件引擎的反垃圾邮件最大扫描大小的邮件,则会跳过该邮件的反垃圾邮件扫描。在撰写本文时,除非另有建议,否则我们不建议将反垃圾邮件最大扫描大小增加到2MB以上。因此,在多数情况下,大小超过2MB的邮件可以轻松绕过反垃圾邮件。
本文将解释通过使用邮件过滤器对这些类型的邮件执行操作的一个概念。
要求
- 对邮件安全设备(ESA)的命令行访问。
- 有关如何编写邮件过滤器的基础知识。
- 正则表达式(RegEx)的基础知识。
创建邮件过滤器
在本节中,我们将创建邮件过滤器。此邮件过滤器将匹配大小超过2MB且不包含附件的所有邮件:
- 打开文本编辑器并复制/粘贴以下邮件过滤器:
large_spam_no_attachment:
if ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
注意: 您需要创建与邮件过滤器隔离操作中使用的隔离区名称匹配的策略、病毒和爆发(PVO)隔离区,以便邮件过滤器能够按原样工作。否则,必须使用不同的操作类型。创建此PVO隔离区并将邮件过滤器应用到ESA后,强烈建议您监控PVO隔离区,并根据需要释放或删除已隔离的邮件。
- 在此处,您可能需要修改此邮件过滤器以满足您的特定要求。例如,如果最大反垃圾邮件扫描大小设置为1MB,您可以将正文大小减小到1MB。
- 您可能还希望此邮件过滤器仅应用于来自特定发件人组或侦听程序的邮件。以下两个附加示例可能适用于您的用途:
large_spam_no_attachment:
if (recv-listener == "IncomingMail") AND ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
large_spam_no_attachment:
if (sendergroup != "RELAYLIST") AND ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
- 如果您想进行任何其他更改,我建议您查看ESA终端使用指南中的邮件过滤器部分。本指南中有一些章节提供了可供使用的条件和操作的列表。
将邮件过滤器应用于ESA
在本节中,我们将将在上一节中创建的邮件过滤器应用到ESA。邮件过滤器只能通过命令行应用于ESA。因此,您需要对ESA进行命令行访问。
- 通过命令行登录ESA。
- 运行以下突出显示的命令,将邮件过滤器应用于ESA:
ironport.example.com> filters
Choose the operation you want to perform:
- NEW - Create a new filter.
- IMPORT - Import a filter script from a file.
[]> NEW
Enter filter script. Enter '.' on its own line to end.
large_spam_no_attachment:
if ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
.
1 filters added.
- 在此处,您可能需要查看邮件过滤器并确保其处于活动状态且有效。您可以通过运行以下命令执行此操作:
ironport.example.com> filters
Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.
[]> LIST
Num Active Valid Name
1 Y Y large_spam_no_attachment
Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.
[]> DETAIL
Enter the filter name, number, or range:
[]> 1
Num Active Valid Name
1 Y Y large_spam_no_attachment
large_spam_no_attachment: if (body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
- 运行commit命令并添加任何相关的提交注释:
ironport.example.com> commit
Please enter some comments describing your changes:
[]> Applied large_spam_no_attachment message filter
其他资源
ESA最终用户指南