Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1378
Views
0
Helpful
6
Replies

Message filter. spf status mailfrom none. Virus repaired messages to quarantine

itinfrastructure
Level 1
Level 1

‎10-27-2015 11:15 AM

Hello i seem to be having an issue whereas the message filter below is not being applied to the incoming listener. Ideally i would want mail that returns a none value from mailfrom  to quarantine. To note i did apply the "SPF Verification" condition to "None" although i didn't realise that this also applies to sender ID aka pra which effectively meant all email was being quarantined which means a message filter was the only option to filter this query. (I have a suspicion that "None" should be "none", will apply the changes and see if that works) 

SPF-mailfrom_none:

if ((recv-listener == "Inbound_Listener") or (recv-int == 'MAIL')) and (spf-status("mailfrom") == "None")

{

quarantine("Policy");

}

.

 

For my second question i want repaired virus infected messages to be quarantined not delivered.

I have "Scan for Viruses only" and "Drop infected attachments if a virus is found" plus including an X-header.

 

For repaired messages i have added a custom header of X-AVRepaired with a value of True, while creating an inbound content filter condition "Other Header" that contains a header value X-AVRepaired to be quarantined.

 

This does not work. I was wondering whether i have the correct condition selected and the header value.

 

Thanks

Mark

Labels:
0 Helpful
6 Replies 6

Mathew Huynh
Cisco Employee
Cisco Employee

‎10-27-2015 10:26 PM

Hey Mark,

Ensure SPF check is done on the mail flow policies for your inbound traffic (generally ACCEPTED)

Once this is enabled.

The filter should take action.

SPF-mailfrom_none:

if ((recv-listener == "Inbound_Listener") or (recv-int == 'MAIL')) and (spf-status("mailfrom") == "None")

{

quarantine("Policy");

}

.

As per second requirement.

You will need to set it to 'scan and repair'

and for repair set it to: Deliver as is

That custom header you have to be added


The content filter you have setup, just check if the header exist (case sensitive).

Then quarantine and it should go to the rightful quarantine.

Regards,

Matthew

0 Helpful

itinfrastructure
Level 1
Level 1
In response to Mathew Huynh

‎10-28-2015 10:58 AM

Appreciate the prompt reply Matthew.

I have made the changes with regards to the repaired messages but the message filter from what you listed is unchanged to what i already had.

All mail flow policies apart from relayed have SPF/SIDF Verification enabled, conformance SIDF Compatible. I currently have an inbound content filter checking for spf-status == "fail,temperror,permerror"  which works correctly.

Curious can both work independently or you either have it configured using content filters or message filters?

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to itinfrastructure

‎10-28-2015 03:59 PM

Yep I did not change your content filter syntax as it was correct from what I would have suggested.

As for the message filter and content filter.

They can both work independently or together depending on your setup.

Just not that if you created a message filter (takes action before the workqueue) you can alter the email accordingly, or action it.


If a message filter uses drop rule, it will happen immediately (it's a final action).

However if you flag an email for a quarantine via message filter, and content filter re-flags it to another quarantine, it will enter the quarantine the content filter flagged it, once released it'll go into the quarantine the message filter flagged.

I hope this helps.

Regards,

Matthew

0 Helpful

itinfrastructure
Level 1
Level 1
In response to Mathew Huynh

‎11-04-2015 10:40 AM

Sorry about this belated reply although if the the message filter is correct why is the rule not applying? It states active from the cli.

Under message tracking emails with a none tagged from mailfrom are still being processed not quarantined.

Under Monitor, Message Filters it states there is no data to show.

Any ideas?

Edit we have two C380's in cluster on revision 9.6.0-051

0 Helpful

Hrvoje (Harry) Dogan
Cisco Employee
Cisco Employee
In response to itinfrastructure

‎11-04-2015 08:18 PM

I'm not sure if "None" is the regular value of spf-status() or just a representation of non-existing status for humans to understand. Try if (spf-status()==""), or try negating all the other valid spf-status values (spf-status() != "fail,temperror,permerror[,...]")

0 Helpful

itinfrastructure
Level 1
Level 1
In response to Hrvoje (Harry) Dogan

‎11-05-2015 01:27 PM

Hi Harry when the below command is run

SPF-mailfrom_none:

if ((recv-listener == "Inbound_mail") and (spf-status("mailfrom") == "")

{

quarantine("Policy");

}

.

An error occurred during processing: spf-status(): '' is an invalid status
list. Valid status values are PermError, None, TempError, Neutral, Pass, Fail,
SoftFail.

So interesting enough it does understand the "None" variable although not as a mailfrom identity. If you use the content filter rule SPF verfication it checks against mailfrom and PRA meaing setting this to "None" literally puts all incoming mail into quarantine since nothing that i have seen so far uses PRA.

0 Helpful
Customers Also Viewed These Support Documents