11-17-2009 11:22 AM
I am after some help.
We are using the RegEx provided by IronPort to do some testing and are scanning all outbound messages using this RegEx.
However we have got forms that go out to customers that by the Natioanl Insurance number request field there is a NI Number to show an example (AB123435C). This of course then triggers the content filter and the message is incorrectly stopped.
We want to try and stop this from happening as it is going to casue major issues with false positives. We have thought about adding a rule that if AB123435C "is Not" contained within the message body or attachment, but this would mean that if someone were to email out a completed form that had both the sample NI number and the customers correct NI number then it would be ignored, which of course is unacceptable.
The only way I can see to do this, is to add to the dictionary (or create a new one) that contains AB123435C with a Minus score that equals the score that the RegEx gives it.
So if the RegEx give a score of 1, then the AB123435C entry would have to give a score of -1. This would mean that the example NI would be ignored, but any real NI numbers would still be picked up.
The problem is that I don't think there is the feature to give minus scores to dictionary terms. Has anyone else either requested this or have a better idea?
Thanks in advance.
11-17-2009 04:17 PM
Just an idea, cos I haven't played with threshold scoring.
You dont need negative score. According to the manual, you can set "weight" to keywords in dictionary.
All you need is a very big weight difference between the "example-NI" score and the normal NI score.
E.g
example-ni score is 1.
other regex matched NI is score 9999 (I assume this can be done).
Then your minimum score of the filter rule set to 100 is sufficient to catch any email try to get through by passing the example form. (unless they attached it 100 times).
Once an email is attached with a normal form, they _should_ be caught because 9999 is assigned and > 100.
11-18-2009 02:59 PM
We have thought about adding a rule that if AB123435C "is Not" contained within the message body or attachment,
05-18-2023 12:21 PM - edited 05-26-2023 11:46 AM
Here's an example to illustrate how it works:
^(?!AB123435C)\d+$
In this regex pattern:
^ asserts the start of the string.
(?!AB123435C) is the negative lookahead that excludes the specific pattern ""AB123435C".
\d+ matches one or more digits.
$ asserts the end of the string.
Using this pattern, the regex will match any sequence of digits except the exact pattern "AB123435C".
Top of Form
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide