Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1777
Views
10
Helpful
5
Replies

ESA Release 8.5.6 message filter (CLI) syntax

Go to solution
joshuaclark2014
Level 1
Level 1

‎03-27-2015 10:52 AM

Can someone help me with the following syntax on a message filter?

 

IHSpam: if (mail-from-dictionary-match("IHSpamBlock", 1)) AND (rcpt-to == "@domainname.com") {
                insert-header("X-IronPort-Quarantine", "Yes");
            }
 

The portion I need help with is the "AND (rcpt-to == "@domainname.com")"

I need to know what the syntax to use for looking up every incoming email that CONTAINS @domainname.com. The logic is, any email that is incoming that is destined for @domainname.com (changed for security) WHICH is from a dictionary list containing email addresses that I pre- populate (I want to be blocked) will be directed to the ISQ (SPAM quarantine for the receiving email address).

 

The rule works fine when I use the == but that will only match a FULL email, I need to know what the syntax is to look up a CONTAIN field for the domain name.

 

Thanks in advance, and trust me, I searched and researched Cisco and google forums numerous times trying to find the answer BEFORE posting.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to joshuaclark2014

‎03-29-2015 06:32 PM

Hey Joshua,

 

I'm glad the responses on the forums have helped out :)
To add to this filter if you decide you want to add in more domains for matching you can use this rcpt-to syntax

 

AND (rcpt-to =="(?i)(@domain\\.com|@domain2\\.com|@domain3\\.com)$")

 

The \\ is to escape the regex -> .

The | is the pipe for the OR clause within the list of domains.

(?i) is case insensitive so someone can't use recipient@dOmaIn.com to bypass your filter syntax.

 

Regards,

Matthew

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ken Stieers
VIP
VIP

‎03-27-2015 11:06 AM

Looking at the doc, I'm wondering if one of the following would work:

(rcpt-to == '@domainname.com')                            <-single quotes

(rcpt-to == '@domainname.com$')                          <-$ is regex for "ends with"

 

 

 

 

 

Go to solution
joshuaclark2014
Level 1
Level 1
In response to Ken Stieers

‎03-27-2015 12:20 PM

 

Thanks, I am going to try this and see if it works, the worst that happens is I have to redo the filter:

 

(rcpt-to == '@domainname.com$')                          <-$ is regex for "ends with"

0 Helpful

Go to solution
joshuaclark2014
Level 1
Level 1
In response to joshuaclark2014

‎03-27-2015 02:51 PM

I ended up using this syntax and it is working, thank you very much. I am now able to add keywords or domains I want to block (using two separate filters) and divert them to the end users quarantine:

 

IHSpam: if (subject-dictionary-match("IHSubjectSpamBlock", 1)) AND (rcpt-to =="@domain.com$") {
            notify ("my@domain.com");
            insert-header("X-IronPort-Quarantine", "Yes");
        }
 

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to joshuaclark2014

‎03-29-2015 06:32 PM

Hey Joshua,

 

I'm glad the responses on the forums have helped out :)
To add to this filter if you decide you want to add in more domains for matching you can use this rcpt-to syntax

 

AND (rcpt-to =="(?i)(@domain\\.com|@domain2\\.com|@domain3\\.com)$")

 

The \\ is to escape the regex -> .

The | is the pipe for the OR clause within the list of domains.

(?i) is case insensitive so someone can't use recipient@dOmaIn.com to bypass your filter syntax.

 

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents