Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2677
Views
10
Helpful
5
Replies

Ironport Tuning

Go to solution
corey.burden
Level 1
Level 1

‎01-13-2016 12:20 PM

Does anyone know of a way to tune the Ironports so that the content and language filter does not quarantine legitimate emails because a word may contain part of a word that is to be filter.  IE, the word  "classified" causes emails to be quarantined because of the 3-5 characters.  I checked the box to match whole words and that helped a bit but we are still having that issue.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to corey.burden

‎01-21-2016 02:13 PM

Hey Corey,

file\xxx or 38.xxx will not be caught under ^xxx$ type of regex filter.

Also it will depend on the filter condition as well.

For any dictionary, or body/string matching I always suggest to add the "Add Log Entry" action with $MatchedContent for ease of auditing as well so you can see in the mail_logs/tracking logs what string was triggered.

Regards,

Matthew

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎01-13-2016 05:39 PM

Hey Corey,

Match whole words should correct most of the mis-matched behaviour unless someone is actually sending out profanity words like 'ass' within the email somewhere causing the match.

Else you can attempt to add boundaries to the terms as well with \b 

However generally it should not match an email where you have the word as classified when the Match whole words is enabled.


I would also suggest to add an extra action of -> Add Log Entry -> $MatchedContent

Just so you know what word matched and to skim the email for the actual word.

Weighting may also need to be implement to stop a very strict or some false positive matches.

Regards,

Matthew

Go to solution
exMSW4319
Level 3
Level 3
In response to Mathew Huynh

‎01-14-2016 01:10 AM

Regular expressions are relatively expensive in terms of CPU, but if you really have to go for short phrases that are false-positive city then ^ass$ will do. It won't catch ass-qualifier but just going for ^ass will still give you lots of false positives. You might have more luck including some of the more common or offensive qualifiers as separate phrases, as a clutch of phrases is cheaper than a regular expression.

As Matthew says, dropping the weighting is probably the first step unless you're filtering for a church congregation.

On the subject of weighting I still prefer the way certain other gateway products work, counting a phrase once no matter how many further times it appeared in the message. This was far better at avoiding false positives, and I use weighting much less now than then.

Go to solution
corey.burden
Level 1
Level 1
In response to exMSW4319

‎01-19-2016 08:29 AM

Thanks for the information. It appears most of everything is being caught by the Match Whole Words.  But I have these for example that didn't:  an ip address with 38.xxx as the last 2 octects or an attachment with scripts that has file\xxx in it. Do you think that the ^xxx$ script will not recognize these as false positives?

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to corey.burden

‎01-21-2016 02:13 PM

Hey Corey,

file\xxx or 38.xxx will not be caught under ^xxx$ type of regex filter.

Also it will depend on the filter condition as well.

For any dictionary, or body/string matching I always suggest to add the "Add Log Entry" action with $MatchedContent for ease of auditing as well so you can see in the mail_logs/tracking logs what string was triggered.

Regards,

Matthew

0 Helpful

Go to solution
corey.burden
Level 1
Level 1
In response to Mathew Huynh

‎01-22-2016 05:28 AM

Thanks for you help guys.  It seems like things have slowed down for all of the false positives now.   I'm down to only a hand full of emails being quarantined per day now vice several hundred.  And they mostly seem to be legitimate catches with the exception of one or two.

0 Helpful
Customers Also Viewed These Support Documents