Solved: The action will archive a

Roger Base · ‎09-09-2016

Hi Everyone. I am trying to figure out how I should implement message filter that checks the subject field of my outgoing emails. If there match on specific number combination it should then rewrite the subject field with custom text. How can this be accomplished with filters ?

dmccabej · ‎09-13-2016

Hello Roger,

You can create a log 'archive' of all of the emails modified by the filter using the archive action. I also added in a 'log-entry' which you can modify, so you can search through the mail logs for hits on the filter.

You can then access this log via the CLI or FTP/Syslog/SCP.

Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
edit-header-text("Subject", "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$", "RuleHit");
log-entry("*** FILTER1 ***");
archive('filter1archive');
}
.

Thanks

-Dennis M.

View solution in original post

Libin Varghese · ‎09-21-2016

Hi Roger,

Yes, this filter can be implemented using content filters as well. Using message filters allows to quarantine these emails at the beginning of the workqueue as content filters are close to the end of the workqueue processing.

Myfilter1:
if (subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$") AND (mail-from == "^<>$")
{
duplicate-quarantine('Policy');
log-entry("*** FILTER1 ***");
}
.

In regex terms
^ - Starts with
$ - Ends with

This would hence check emails with envelope sender <>

Thanks
Libin

View solution in original post

Libin Varghese · ‎09-12-2016

Hi Roger,

The easiest way to create a message filter if you are unsure of the syntax is to create a content filter and copy the syntax from there to create a message filter.

You can also use websites such as regex101.com to determine the regex for the subject line match as per requirement.

Filter:
if subject == "123"
{
edit-header-text("Subject", "123", "Test"); OR insert-header("Subject", "Replace");
}
.

You can replace the term 123 with a regex of your choice.

Message filters are added through the command line using command filters -> new

Thanks
Libin

Roger Base · ‎09-13-2016

Thank you Libin. I was not aware that if statements was supported. How can I quarantine/store the original email before editing and sending it to the receiver ?

if subject == "mypassword"
{
edit-header-text("Subject", "mypassword", "Mypasswordremoved"); OR insert-header("Subject", "Replace");
}

Libin Varghese · ‎09-13-2016

Hi Roger,

In order to quarantine the email you would need to add the filter action as below

quarantine("Policy");

An email released from the quarantine is not scanned by the filters again, hence the subject would need to be modified for the email either before it is sent to the quarantine or using the quarantine settings (only allows prepend or append to the subject header).

Quarantine settings are located under Monitor -> Policy Virus and Outbreak Quarantine -> Policy

Note in reference to my previous post
The below two are different actions and you can use either as per the requirement.

edit-header-text("Subject", "mypassword", "Mypasswordremoved"); -- Search and replace mypassword with Mypasswordremoved

insert-header("Subject", "Replace"); -- Edit existing header value

NameofFilter:
if subject == "mypassword"
{
edit-header-text("Subject", "mypassword", "Mypasswordremoved");
quarantine("Policy");
}
.

Thanks
Libin

Roger Base · ‎09-13-2016

Thanks again Libin!

The reason for I want to store a copy of the original email is because I want to prevent false positive catches with my filter. I would need to use RegEx to catch the special number combination.

Will this filter just quarantine and the email will not be sent? Is there any way to store copy of the original email before editing the subject field and sending it to receiver?

Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
edit-header-text("Subject", "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$", "RuleHit");
quarantine("Policy");
}

dmccabej · ‎09-13-2016

Hello Roger,

You can create a log 'archive' of all of the emails modified by the filter using the archive action. I also added in a 'log-entry' which you can modify, so you can search through the mail logs for hits on the filter.

You can then access this log via the CLI or FTP/Syslog/SCP.

Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
edit-header-text("Subject", "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$", "RuleHit");
log-entry("*** FILTER1 ***");
archive('filter1archive');
}
.

Thanks

-Dennis M.

Roger Base · ‎09-14-2016

Hi Dennis, Will your example actually also send the email to the receiver or will it only archive the email ?

dmccabej · ‎09-14-2016

The action will archive a copy and continue to send the message on its way, so yes it will still be delivered. The Message Filter conditions/actions/examples/etc are covered extremely well in the Online Help portion of the ESA if you need some further details.

Help and Support --> Online Help --> Using Message Filters

"Archive Action

The archive action saves a copy of the original message, including all message headers and recipients into an mbox-format file on the appliance. The action takes a parameter that is the name of the log file in which to save the message. The system automatically creates a log subscription with the specified filename when you create the filter, or you can also specify an existing filter log file. After the filter and the filter log file are created, the filter log options may then be edited with the filters -> logconfig subcommand."

Roger Base · ‎09-19-2016

Thanks a lot for your explanation. I will need to read more about Archive.

What if I am only interested into just to make a copy of the email if it matches my regex and without changing anything on the original email (The email should still be sent). Can I then use Quarantine or should I still use Archive to store copies of the emails? And how should the code look like then ?

Libin Varghese · ‎09-19-2016

Hi Roger,

Since you are looking to deliver the original email without changes and keep a copy of the email for review you could use the duplicate-quarantine action in the filters.

The duplicate-quarantine('quarantine_name')action immediately places a copy of the message into the specified quarantine and the original message continues through the email pipeline.

The action format would be
duplicate-quarantine('Policy');

In this case the original email would be delivered as is and a copy of the original email would be sent to the Policy quarantine for you to review.

Myfilter1:
if subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$"
{
duplicate-quarantine('Policy');
log-entry("*** FILTER1 ***");
}
.

Thanks

Libin

Roger Base · ‎09-21-2016

Thanks again!!

How do I include verification of Envelope sender in my script ? There are no Envelope Sender in the Autoreply emails. And I am only interested into match those with <No Sender> as Envelope sender.

Will I able to implement this Content filtering instead of using Message filtering?

Libin Varghese · ‎09-21-2016

Hi Roger,

Yes, this filter can be implemented using content filters as well. Using message filters allows to quarantine these emails at the beginning of the workqueue as content filters are close to the end of the workqueue processing.

Myfilter1:
if (subject == "^([01][0-9][0-9]|2[0-4][0-9]|25[0-5])$") AND (mail-from == "^<>$")
{
duplicate-quarantine('Policy');
log-entry("*** FILTER1 ***");
}
.

In regex terms
^ - Starts with
$ - Ends with

This would hence check emails with envelope sender <>

Thanks
Libin

Roger Base · ‎09-21-2016

Thanks again !! I ended up using Content filter. Can I also edit-header-text with Content Filter?

Libin Varghese · ‎09-21-2016

Absolutely, content filter actions allow for add/edit header as well.

Libin

Roger Base · ‎10-20-2016

It works well with the Subject Header. But I cannot get to work with Thread-Topic header. Is there something special I need to know when I want to replace text from the Thread-Topic header ?

ESA messagefilter script