Hi Libin,
due to the amount of markings we have and the limitation of the content filter I need to use a regex search in the subject field.

(.*{POSSIBLY MALICIOUS ATTACHMENT REMOVED}|.*{POSSIBLY MALICIOUS ATTACHMENT}|.*{POSSIBLY MALICIOUS URL}|.*{SENDER NOT VERIFIED}){2,}

this one here is working in my lab environment, maybe somebody else wants the configure the same :)

regards
Daniel

EDIT:
new regex with better matching:
(.*\{(?:POSSIBLY MALICIOUS ATTACHMENT REMOVED|POSSIBLY MALICIOUS ATTACHMENT|POSSIBLY MALICIOUS URL|SENDER NOT VERIFIED)\}){2,}

If you want to do true quorum logic, you might try a weighted dictionary. I was thinking of constructing something along those lines using footings rather than subject line tags.

You will need tags that won't crop up elsewhere and cause false positives.

I was going to suggest that, but searching in a subject line doesn't let you check for a match score...

Hello,
I have not yet used a weighted dictionary on the ESA, could you please elaborate how you meant to accomplish the given task?

thanks
cheers
Daniel

I suggested footings precisely because a subject line check is less selective, but I never got as far as a working test.

In a weighted dictionary you can have the following phrases:

Target Industry         4
Target Geography    4
Target Job Title        4

Your content rule then has a threshold of 10. If one or two phrases appear in an incoming mail then that's not a problem, but if all three appear then the rule triggers.

The problem with the Asyncos implementation of dictionaries is that it keeps adding to the score each time a phrase appears, so three references to just one of the phrases will still trigger the rule. In the past I've used rival systems where a phrase counts at its weighting just once no matter how many times it appears, and in my opinion that's much less inclined to give false positives.

Now to carry this forward to quorum logic, I devised the following. I must stress that not only was this never tested, but also that the factors leading to the inclusion of each footing would have been highly idiosyncratic and probably only applicable to our own implementation which I can't discuss in detail. It's provided here solely as food for thought, and in just glancing at what I originally wrote a year ago I can see several weightings that I'd want to change today:

ORG-no-rDNS        7   the sending network does not have a name
ORG-SPF-PASS       0   the sending network is authorised
ORG-SPF-FAIL       9   the sending network is not permitted to send this 
ORG-SPF-SOFTFAIL   5   the sending network is not supposed to send this
ORG-SPF-PERMERROR  3   the sender’s authorising record is broken
ORG-SPF-TEMPERROR  3   the sender’s authorising record cannot be clearly read
ORG-no-SPF         2   the sender does not publish an authorising record
ORG-no-SBRS        2   the sending network does not yet have a public reputation
ORG-SBRS-A         0   the sending network has an excellent reputation
ORG-SBRS-B         1   the sending network has a good reputation
ORG-SBRS-C         2   the sending network has an adequate reputation
ORG-SBRS-D         4   the sending network has a weak reputation
ORG-SBRS-E         8   the sending network has a poor reputation
ORG-bounce         2   the recipient response is from a different computer
ORG-old-Office     3   the message contains an older type of Office file

Hello,

thanks for the summary, I do understand now.
That mentioned nature of Async is quite annoying for that kind of filtering. There is also no threshold for dictionaries on header checks, otherwise we could just append new markings in a header and search for it.

Would be cool to get a condition to check for already applied filters, but maybe we will see that in future releases.

anyway, thanks for your input.

cheers
Daniel