I am using outgoing content filter with two header changes. Subject and Thread-Topic.

Subject are working well and I can rewrite the subject header. If I use the same regex for Thread-Topic it docent work. 

Could you share the filter rule and I can check and test in the lab.

Libin

Yes. I can. But I had to remove some of the confidential information. But anyways. That is not important in this case. I guess you can just make a simple regular expression to match anything. Again this the subject header and quarantine of the policy does work. The only not working think are Thread topic header. 

Roger,

I did run some tests and the filter does work for Thread-Topic header as well.

I used the below filter

Myfilter1:
if (subject == "Test") AND (header("Thread-Topic") == "Test")
{
edit-header-text("Subject", "Test", "SubjectRuleHit");
edit-header-text("Thread-Topic", "Test", "ThreadRuleHit");
log-entry("*** FILTER1 ***");
}

Then I used manual telnet to control the value for Thread-Topic header

Escape character is '^]'.
220 **************************
ehlo cisco.com
250-ironport.example.com
250-8BITMIME
250 SIZE 10485760
mail from: libivarg@cisco.com
250 sender <libivarg@cisco.com> ok
rcpt to: libivarg@esa-lab.in.local
250 recipient <libivarg@esa-lab.in.local> ok
data
354 go ahead
Subject: Test
Thread-Topic: Test
This is a test email
.
250 ok: Message 244 accepted
quit

The resultant headers were these

Received: from ironport.example.com (10.122.187.140) by
ESA-LAB-EXCH02.esa-lab.in.local (10.122.187.137) with Microsoft SMTP Server
id 14.3.123.3; Fri, 21 Oct 2016 09:07:40 -0400
Thread-Topic: ThreadRuleHit
IronPort-PHdr: =?us-ascii?q?9a23=3AF+t+ghXGSg0/rLMjbeTfUw28guvV8LGtZVwlr6E/?=
=?us-ascii?q?grcLSJyIuqrYZROOt8tkgFKBZ4jH8fUM07OQ6P+wHzFbqs/c+Fk5M7VyFDY9wf?=
=?us-ascii?q?0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3Ew09?=
=?us-ascii?q?Ku3pF8bcjsmz26jyp8ySMABJnyG8Z7w6EDL+owTcssVewdA6a/UczwPVszNCfO?=
=?us-ascii?q?hHjSM1fRPAmhfn/ca289ZNyQN18/wg+spMGeWmLuVrBe8QNygvL21gvZ6jjhLE?=
=?us-ascii?q?VwbavyRMXw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0H4mgAN8BtW/zR8EqxOh397kAeMNIIVh?=
=?us-ascii?q?iUCgQsBAQIBAQF6hAQPgQyHLqYOnX0BgTMFqCGBZwyFTQMCAQ?=
X-IPAS-Result: =?us-ascii?q?A0H4mgAN8BtW/zR8EqxOh397kAeMNIIVhiUCgQsBAQIBAQF?=
=?us-ascii?q?6hAQPgQyHLqYOnX0BgTMFqCGBZwyFTQMCAQ?=
Subject: [SUSPECTED SPAM] SubjectRuleHit
X-IronPort-AV: E=Sophos;i="5.17,1,1437436800";
d="scan'";a="244"
X-Amp-Result: Clean
X-Amp-File-Uploaded: False
MIME-Version: 1.0
Content-Type: text/plain
Message-ID:
<eae91b9e-490a-4896-ace0-e1130a80da5d@ESA-LAB-EXCH02.esa-lab.in.local>
From: <libivarg@cisco.com>
To: Undisclosed recipients:;
Return-Path: libivarg@cisco.com
Date: Fri, 21 Oct 2016 09:07:40 -0400
X-MS-Exchange-Organization-AuthSource: ESA-LAB-EXCH02.esa-lab.in.local
X-MS-Exchange-Organization-AuthAs: Anonymous

The subject header and thread-topic header both were modified, I would suspect the regex mentioned in the edit-header action for the Thread-Topic header did not match the test email.

Libin

Hi Libin,

The biggest difference between you example and mine. Are that your are matching for Thread-Topic header and Subject in your if statement. I am just matching for Subject and if it match subject then I have 3 results.

I haven't seen my own code because I am using the GUI. But I guess mine looks like this.

Does this work on yours? and will Thread-Topic and Subject always have the same content?

Myfilter1:
if (subject == "Test")
{
edit-header-text("Subject", "Test", "SubjectRuleHit");
edit-header-text("Thread-Topic", "Test", "ThreadRuleHit");
log-entry("*** FILTER1 ***");
}

Roger,

That tested correctly as well.

Myfilter1:
if (subject == "Test")
{
edit-header-text("Subject", "Test", "SubjectRuleHit");
edit-header-text("Thread-Topic", "Test", "ThreadRuleHit");
log-entry("*** FILTER1 ***");
}
.
1 filters added.

Escape character is '^]'.
220 ironport.example.com ESMTP
ehlo esa-lab.in.local
250-ironport.example.com
250-8BITMIME
250 SIZE 10485760
mail from: libivarg@esa-lab.in.local
250 sender <libivarg@esa-lab.in.local> ok
rcpt to: libivarg@esa-lab.test.local
250 recipient <libivarg@esa-lab.test.local> ok
data
354 go ahead
Subject: Test
Thread-Topic: Test
This is a test email
.
250 ok: Message 251 accepted

Received: from ironport.example.com (10.122.187.140) by
ESA-LAB-EXCH03.esa-lab.test.local (10.122.187.155) with Microsoft SMTP Server
id 14.0.639.21; Mon, 24 Oct 2016 06:11:14 -0700
Thread-Topic: ThreadRuleHit
IronPort-PHdr: =?us-ascii?q?9a23=3APqtcHR9juuRGFf9uRHKM819IXTAuvvDOBiVQ1KB+?=
=?us-ascii?q?1OMcTK2v8tzYMVDF4r011RmSAtWdtqkP0reempujcFJDyK7JiGoFfp1IWk1Nou?=
=?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBX0pTW+5CIfUhv+OA55?=
=?us-ascii?q?bqSpS8+BisWszOG09NXvRE1GhTe5bfsyd033/ijUrtUHyYFlJrd5ikaR4yhNev?=
=?us-ascii?q?9NxGVnbXypuDO06Ma9+JIrs3gB+qFppIZ7TazmcvFhHvRjBzM8PjVsu53m?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0H4mgAN8BtW/427egpOh397kAeMNIIVh?=
=?us-ascii?q?iUCgQsBAQIBAQF6hAQPgQyHLqYOnX0BgTMFqCGBZwyFTQMCAQ?=
X-IPAS-Result: =?us-ascii?q?A0H4mgAN8BtW/427egpOh397kAeMNIIVhiUCgQsBAQIBAQF?=
=?us-ascii?q?6hAQPgQyHLqYOnX0BgTMFqCGBZwyFTQMCAQ?=
Subject: [SUSPECTED SPAM] SubjectRuleHit
X-IronPort-AV: E=Sophos;i="5.17,1,1437436800";
d="scan'";a="251"
X-Amp-Result: Clean
X-Amp-File-Uploaded: False
MIME-Version: 1.0
Content-Type: text/plain
Message-ID: <5b1fdc72-3a3f-46cd-864d-4e4b52b5c44e@ESA-LAB-EXCH03.esa-lab.test.local>
From: <libivarg@esa-lab.in.local>
To: Undisclosed recipients:;
Return-Path: libivarg@esa-lab.in.local
Date: Mon, 24 Oct 2016 06:11:14 -0700
X-MS-Exchange-Organization-AuthSource: ESA-LAB-EXCH03.esa-lab.test.local
X-MS-Exchange-Organization-AuthAs: Anonymous

Mon Oct 24 07:43:56 2016 Info: New SMTP ICID 236 interface Management (10.122.187.140) address 10.122.187.141 reverse dns host esa1.esa-lab.co.local verified yes
Mon Oct 24 07:43:56 2016 Info: ICID 236 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Mon Oct 24 07:44:27 2016 Info: SenderBase: failed to connect to host: phonehome.senderbase.org port: 443, error: SSL error: Connection failed: [Errno 60] Operation timed out
Mon Oct 24 07:44:53 2016 Info: Start MID 251 ICID 236
Mon Oct 24 07:44:53 2016 Info: MID 251 ICID 236 From: <libivarg@esa-lab.in.local>
Mon Oct 24 07:45:17 2016 Info: MID 251 ICID 236 RID 0 To: <libivarg@esa-lab.test.local>
Mon Oct 24 07:45:39 2016 Info: SenderBase: failed to connect to host: phonehome.senderbase.org port: 443, error: General error:
Mon Oct 24 07:45:41 2016 Info: MID 251 Subject 'Test'
Mon Oct 24 07:45:41 2016 Info: MID 251 ready 59 bytes from <libivarg@esa-lab.in.local>
Mon Oct 24 07:45:41 2016 Info: MID 251 Custom Log Entry: *** FILTER1 ***
Mon Oct 24 07:45:41 2016 Info: MID 251 matched all recipients for per-recipient policy DEFAULT in the inbound table
Mon Oct 24 07:45:48 2016 Info: MID 251 interim verdict using engine: CASE spam suspect
Mon Oct 24 07:45:48 2016 Info: MID 251 using engine: CASE spam suspect
Mon Oct 24 07:45:49 2016 Info: MID 251 interim AV verdict using Sophos CLEAN
Mon Oct 24 07:45:49 2016 Info: MID 251 antivirus negative
Mon Oct 24 07:45:49 2016 Info: MID 251 AMP file reputation verdict : CLEAN
Mon Oct 24 07:45:49 2016 Info: MID 251 using engine: GRAYMAIL negative
Mon Oct 24 07:45:49 2016 Info: MID 251 Outbreak Filters: verdict negative
Mon Oct 24 07:45:49 2016 Info: MID 251 queued for delivery
Mon Oct 24 07:45:49 2016 Info: New SMTP DCID 1522 interface 10.122.187.140 address 10.122.187.155 port 25
Mon Oct 24 07:45:49 2016 Info: Delivery start DCID 1522 MID 251 to RID [0]
Mon Oct 24 07:45:49 2016 Info: Message done DCID 1522 MID 251 to RID [0]
Mon Oct 24 07:45:49 2016 Info: MID 251 RID [0] Response '2.6.0 <5b1fdc72-3a3f-46cd-864d-4e4b52b5c44e@ESA-LAB-EXCH03.esa-lab.test.local> [InternalId=66] Queued mail for delivery'
Mon Oct 24 07:45:49 2016 Info: Message finished MID 251 done
Mon Oct 24 07:45:54 2016 Info: DCID 1522 close

The Subject and Thread-Topic header could have the same or different values depending on the sending server.

Libin

Hi Libin,

I found the fault. When receiving Autoreply from Outlook. The Autoreply text will not be visible in the Thread-Topic header. The Autoreply are only the subject header. I was matching for Autoreply for both headers. I solved by removing match of Autoreply from Thread-Topic header.

Thanks again.

Glad I could help.

Thank you for sharing the findings.

Glad you got it figured out! :)

-Dennis M.