09-09-2016 01:11 PM
Hi Everyone. I am trying to figure out how I should implement message filter that checks the subject field of my outgoing emails. If there match on specific number combination it should then rewrite the subject field with custom text. How can this be accomplished with filters ?
Solved! Go to Solution.
09-13-2016 05:00 PM
Hello Roger,
You can create a log 'archive' of all of the emails modified by the filter using the archive action. I also added in a 'log-entry' which you can modify, so you can search through the mail logs for hits on the filter.
You can then access this log via the CLI or FTP/Syslog/SCP.
Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
edit-header-text("Subject", "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$", "RuleHit");
log-entry("*** FILTER1 ***");
archive('filter1archive');
}
.
Thanks
-Dennis M.
09-21-2016 04:57 AM
Hi Roger,
Yes, this filter can be implemented using content filters as well. Using message filters allows to quarantine these emails at the beginning of the workqueue as content filters are close to the end of the workqueue processing.
Myfilter1:
if (subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$") AND (mail-from == "^<>$")
{
duplicate-quarantine('Policy');
log-entry("*** FILTER1 ***");
}
.
In regex terms
^ - Starts with
$ - Ends with
This would hence check emails with envelope sender <>
Thanks
Libin
09-12-2016 05:47 AM
Hi Roger,
The easiest way to create a message filter if you are unsure of the syntax is to create a content filter and copy the syntax from there to create a message filter.
You can also use websites such as regex101.com to determine the regex for the subject line match as per requirement.
Filter:
if subject == "123"
{
edit-header-text("Subject", "123", "Test"); OR insert-header("Subject", "Replace");
}
.
You can replace the term 123 with a regex of your choice.
Message filters are added through the command line using command filters -> new
Thanks
Libin
09-13-2016 01:18 AM
Thank you Libin. I was not aware that if statements was supported. How can I quarantine/store the original email before editing and sending it to the receiver ?
if subject == "mypassword"
{
edit-header-text("Subject", "mypassword", "Mypasswordremoved"); OR insert-header("Subject", "Replace");
}
09-13-2016 02:25 PM
Hi Roger,
In order to quarantine the email you would need to add the filter action as below
quarantine("Policy");
An email released from the quarantine is not scanned by the filters again, hence the subject would need to be modified for the email either before it is sent to the quarantine or using the quarantine settings (only allows prepend or append to the subject header).
Quarantine settings are located under Monitor -> Policy Virus and Outbreak Quarantine -> Policy
Note in reference to my previous post
The below two are different actions and you can use either as per the requirement.
edit-header-text("Subject", "mypassword", "Mypasswordremoved"); -- Search and replace mypassword with Mypasswordremoved
insert-header("Subject", "Replace"); -- Edit existing header value
NameofFilter:
if subject == "mypassword"
{
edit-header-text("Subject", "mypassword", "Mypasswordremoved");
quarantine("Policy");
}
.
Thanks
Libin
09-13-2016 03:15 PM
Thanks again Libin!
The reason for I want to store a copy of the original email is because I want to prevent false positive catches with my filter. I would need to use RegEx to catch the special number combination.
Will this filter just quarantine and the email will not be sent? Is there any way to store copy of the original email before editing the subject field and sending it to receiver?
Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
edit-header-text("Subject", "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$", "RuleHit");
quarantine("Policy");
}
09-13-2016 05:00 PM
Hello Roger,
You can create a log 'archive' of all of the emails modified by the filter using the archive action. I also added in a 'log-entry' which you can modify, so you can search through the mail logs for hits on the filter.
You can then access this log via the CLI or FTP/Syslog/SCP.
Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
edit-header-text("Subject", "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$", "RuleHit");
log-entry("*** FILTER1 ***");
archive('filter1archive');
}
.
Thanks
-Dennis M.
09-14-2016 12:32 PM
Hi Dennis, Will your example actually also send the email to the receiver or will it only archive the email ?
09-14-2016 01:04 PM
The action will archive a copy and continue to send the message on its way, so yes it will still be delivered. The Message Filter conditions/actions/examples/etc are covered extremely well in the Online Help portion of the ESA if you need some further details.
Help and Support --> Online Help --> Using Message Filters
"Archive Action
The archive action saves a copy of the original message, including all message headers and recipients into an mbox-format file on the appliance. The action takes a parameter that is the name of the log file in which to save the message. The system automatically creates a log subscription with the specified filename when you create the filter, or you can also specify an existing filter log file. After the filter and the filter log file are created, the filter log options may then be edited with the filters -> logconfig subcommand."
09-19-2016 05:00 AM
Thanks a lot for your explanation. I will need to read more about Archive.
What if I am only interested into just to make a copy of the email if it matches my regex and without changing anything on the original email (The email should still be sent). Can I then use Quarantine or should I still use Archive to store copies of the emails? And how should the code look like then ?
09-19-2016 05:39 AM
Hi Roger,
Since you are looking to deliver the original email without changes and keep a copy of the email for review you could use the duplicate-quarantine action in the filters.
The duplicate-quarantine('quarantine_name')action immediately places a copy of the message into the specified quarantine and the original message continues through the email pipeline.
The action format would be
duplicate-quarantine('Policy');
In this case the original email would be delivered as is and a copy of the original email would be sent to the Policy quarantine for you to review.
Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
duplicate-quarantine('Policy');
log-entry("*** FILTER1 ***");
}
.
Thanks
Libin
09-21-2016 03:00 AM
Thanks again!!
How do I include verification of Envelope sender in my script ? There are no Envelope Sender in the Autoreply emails. And I am only interested into match those with <No Sender> as Envelope sender.
Will I able to implement this Content filtering instead of using Message filtering?
09-21-2016 04:57 AM
Hi Roger,
Yes, this filter can be implemented using content filters as well. Using message filters allows to quarantine these emails at the beginning of the workqueue as content filters are close to the end of the workqueue processing.
Myfilter1:
if (subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$") AND (mail-from == "^<>$")
{
duplicate-quarantine('Policy');
log-entry("*** FILTER1 ***");
}
.
In regex terms
^ - Starts with
$ - Ends with
This would hence check emails with envelope sender <>
Thanks
Libin
09-21-2016 05:01 AM
09-21-2016 05:07 AM
Absolutely, content filter actions allow for add/edit header as well.
Libin
10-20-2016 06:17 AM
It works well with the Subject Header. But I cannot get to work with Thread-Topic header. Is there something special I need to know when I want to replace text from the Thread-Topic header ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide