Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
10
Helpful
1
Replies

Dictionary entries question

Go to solution
ScottLoveland8675309
Level 1
Level 1

‎06-23-2021 01:01 PM

A phisher is trying to executive spoof with the title President & CEO | M&A Integration, Restructuring & Brand Repositioning

 

If I add that as a term in Blocked_phrases dictionary, which is used by a Blacklist filter with a rule dictionary-match("Blocked_phrases", 1), will that block messages when President & CEO | M&A Integration, Restructuring & Brand Repositioning is seen or when President & CEO, President, or CEO seen? Ideally, I'd like it to be only when the whole phrase is found. 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-23-2021 06:02 PM

Hey Scott,

 

In your dictionary there is a "match whole words" check box, make sure that's ticked and it'll act as a boundary for your string to match.

From your query i assume this is at the subject line level?


IF so it'll be a subject contains dictionary match.

This means if subject contains "President & CEO | M&A Integration, Restructuring & Brand Repositioning" in this exact string pattern, it will match.

 

However if they added a word in between or changed a character, it will not match.

If they added an extra character/string before (separated with a whitespace) it will match.

If they added an extra character/string after (separated with a whitespace) it will match.

 

Keep in mind, dictionaries also accepts regex, make sure you escape the pipe | with \\

 

A good way to test this before you commit it into action is:

1) create dictionary

2) add dictionary to a content filter rule

3) add content filter to your policy

4) submit but DO NOT commit

5) go to system admin -> trace

 

Run a trace to see if it meets your requirements.

 

Thanks,

Mathew

View solution in original post

1 Reply 1

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-23-2021 06:02 PM

Hey Scott,

 

In your dictionary there is a "match whole words" check box, make sure that's ticked and it'll act as a boundary for your string to match.

From your query i assume this is at the subject line level?


IF so it'll be a subject contains dictionary match.

This means if subject contains "President & CEO | M&A Integration, Restructuring & Brand Repositioning" in this exact string pattern, it will match.

 

However if they added a word in between or changed a character, it will not match.

If they added an extra character/string before (separated with a whitespace) it will match.

If they added an extra character/string after (separated with a whitespace) it will match.

 

Keep in mind, dictionaries also accepts regex, make sure you escape the pipe | with \\

 

A good way to test this before you commit it into action is:

1) create dictionary

2) add dictionary to a content filter rule

3) add content filter to your policy

4) submit but DO NOT commit

5) go to system admin -> trace

 

Run a trace to see if it meets your requirements.

 

Thanks,

Mathew

Customers Also Viewed These Support Documents