Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1596
Views
0
Helpful
5
Replies

Skip action in content filter seemingly not working

cryptochrome
Level 1
Level 1

‎01-31-2020 02:04 PM

Hi,

I have a pretty tough nut to crack here as one of my customers wants to have his spam emails delivered instead of quarantined. Furthermore, they want spam mails attached to a new mail. 

To do this, we set the spam options to "Deliver", added a custom header to spams and created the following content filter:

Spam-Notifiy_Attached: if (header("X-ESA-SPAM")) { notify-copy ("$EnvelopeRecipients", "*****SPAM***** $Subject", "", "SPAM_NOTIFY"); drop(); }

This works pretty fine on it's own. It matches on the X-ESA-SPAM header and uses the notify-copy filter action to attach the spam message to a new mail, which is then sent to the recipient. The original mail is dropped.

However, and this is a BIG however:

When mail arrive that are both spam and viral (contains virus), the mail is not put into the virus quarantine. Instead, the same content filter matches and send the viral mail to the recipient. Ouch.

So I set the AV settings to add a custom header to viral emails and created yet another content filter (above the other one):

Skip_Virus_Infected: if (header("X-ESA-VIRUS")) { log-entry("VIRUS"); skip-filters(); }

The idea here is to match mails that contain the X-ESA-VIRUS header (set in AV settings) and then use the skip remaining filters action to prevent that mail to run into the other content filter (that forwards spams as attachments). Or so I hoped. 

This isn't working though. Incoming mails that are both spam and viral are still running into the content filter named Spam-Notify_Attached. 

What am I missing here?

Do you have any other ideas to solve this in a more elegant manner? Note that the customer insists on getting spam mails as an attachment in a new mail, so there is no way around this. 

And help would be massively appreciated. 

Thanks!

Labels:
0 Helpful
5 Replies 5

marc.luescherFRE
Spotlight
Spotlight

‎02-03-2020 04:35 AM

Hi there,

 

you are almost there but need to use the NOT option which is not available in content filters nut in message filters. Replicating what you did so far I would just try the following :

 

Filter 1:

Skip_Virus_InfectedCLI: if (header("X-ESA-VIRUS")) { log-entry("VIRUS"); skip-filters(); }

 

Filter 2:

 Spam-Notifiy_AttachedCLI: if (header("X-ESA-SPAM")) AND NOT (header("X-ESA-VIRUS")) { notify-copy ("$EnvelopeRecipients", "*****SPAM***** $Subject", "", "SPAM_NOTIFY"); drop(); }

 

This should do the trick for you.

 

I hope that helps

 

-Marc

 

0 Helpful

cryptochrome
Level 1
Level 1
In response to marc.luescherFRE

‎02-03-2020 05:09 AM

Hey Marc,

thank you. That looks pretty interesting. I haven't throught about Message Filters, as I was under the impression that Message Filters are applied before mails enter the work queue (so before Virus and Spam Filtering occur). I am going to give that a try, thank you! :)

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to cryptochrome

‎02-03-2020 05:53 AM

Some definition :

Content Filters

Content Filters support a subset of the rules and actions used by Message Filters. Content Filters include all of the rules and actions needed in order to identify and act upon the content of a message, and they are easy to configure in the GUI.

 

Message Filters

Message Filters are more flexible and give access to the metadata of a message, such as the receiving listener, the sender IP, the SenderBase reputation score of the sender, the number of recipients in the message, the size of the message or attachments. A subset of the metadata is available in Content Filters as well. Message Filters are applied as the first Policy processing step in the ESA email pipeline. When a Message Filter is applied, its actions apply to all recipients of the message. This means that, if the action is Drop, then no recipient receives the message, even if the rule that matched the message matched only one recipient.

0 Helpful

cryptochrome
Level 1
Level 1
In response to marc.luescherFRE

‎02-03-2020 08:10 AM - edited ‎02-03-2020 08:13 AM

Then I was right though, I believe? If Message filters are the first step in the work queue, then they are applied before the mail reaches Spam and AV scanners. So the message filters don't have a verdict from those scanners that they could act on. 

 

Unless I completely misunderstand the flow through the pipeline...?

 

I think I found an issue with my setup though and I was able to get it to work with Content Filters. The Content Filter was matching on the *value* of the custom header I set. This did not seem to work. I am now only matching for the presence of the header, and that works. 

 
0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to cryptochrome

‎02-03-2020 09:31 AM

Happy it worked, the challenge with message filters is that with the use of the splintering function you can re-insert a message after it was processed by the pipeline.

I will still test when I have some time.

0 Helpful
Customers Also Viewed These Support Documents