cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4395
Views
0
Helpful
7
Replies

Subject Header Filter Will Not Work

webabc123
Level 1
Level 1

I want to create an outgoing content filter for asyncos 8.5.6 that will automatically encrypt any message containing confidential in the subject and it is to be case-insensitive.  To test it, I created a mail policy that only has a few email addresses in it besides the one I'm testing.

It works if I alter the filter too look for the word confidential in the body of the message instead, but if I try to filter by subject, the message is sent unencrypted.

This is what the filter looks like.  I can't understand why it won't work.  I tried (?I) instead of (?i) and it won't let me save it.

 

 

2 Accepted Solutions

Accepted Solutions

Robert Sherwin
Cisco Employee
Cisco Employee

Did you review this TechNote for assistance?

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117863-configure-esa-00.html

Attaching my encryption notes as well...

1) Create a content filter under Mail Policies -> Incoming Content Filters -OR- Outgoing Content Filters, with the following properties:

Condition:

Subject Header: Contains: (?i)\[SEND SECURE\] -OR- (?i)\[encrypt\] -OR- (?i)\[keyword of choice\]

Action:

Encrypt and Deliver

* Q: Why does the output reflect as “\\”? You will need to have the line written as: (?i)\[SEND SECURE\]

This will AUTOMATICALLY convert to show as: subject == "(?i)\\[SEND SECURE\\]”

* Q: What does (?i) do? Case insensitivity. Allows for “[SEND SECURE]”, “[send secure]”, “[SeNd SeCuRe]”, etc.

2) Enable the new content filter for all relevant policies under Mail Policies -> Outgoing Mail Policies

3) Submit/Commit the changes

View solution in original post

Your screenshot shows you want "[confidential]"   (minus the quotes).

If you're not using the brackets ([]) it fails the test.

If you just want the word to fire the action try this:

 

 

View solution in original post

7 Replies 7

Robert Sherwin
Cisco Employee
Cisco Employee

Did you review this TechNote for assistance?

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117863-configure-esa-00.html

Attaching my encryption notes as well...

1) Create a content filter under Mail Policies -> Incoming Content Filters -OR- Outgoing Content Filters, with the following properties:

Condition:

Subject Header: Contains: (?i)\[SEND SECURE\] -OR- (?i)\[encrypt\] -OR- (?i)\[keyword of choice\]

Action:

Encrypt and Deliver

* Q: Why does the output reflect as “\\”? You will need to have the line written as: (?i)\[SEND SECURE\]

This will AUTOMATICALLY convert to show as: subject == "(?i)\\[SEND SECURE\\]”

* Q: What does (?i) do? Case insensitivity. Allows for “[SEND SECURE]”, “[send secure]”, “[SeNd SeCuRe]”, etc.

2) Enable the new content filter for all relevant policies under Mail Policies -> Outgoing Mail Policies

3) Submit/Commit the changes

It looks like that's what I have done already and it will not work.  I am using the text "confidential" in the subject to filter on and it isn't working.

Isn't the screenshot I posted showing that?

I know the rest must be set up correctly since, if I change the filter to look for the text "confidential" in the body instead of subject, it works.

What does message tracking show for the mails that you have have tagged?  Are they being processed as IN or OUT --- and, do you have the content filter on the right Mail Policy?

-Robert 

Your screenshot shows you want "[confidential]"   (minus the quotes).

If you're not using the brackets ([]) it fails the test.

If you just want the word to fire the action try this:

 

 

OK,  All the examples I found had the brackets.  So, I thought the brackets were part of the requirements.

After removing the brackets and slashes, it worked.

:-)  cool - yea - for simplicity sake - usually we like to see a "tag" in the subject line - and it's easier sometimes for end-user education to do [SEND SECURE] $subject for people to understand --- also, using the []'s gives you a clear-cut "this is to be secure" vs. someone who is just nonchalant in typing "I got this confidential email" as their subject --- which then would trip the encryption aspect inadvertently.

 

Is only reason per my notes, and supportability that I like to prefer the [TAG] aspect.  But - each customer is their own, and allowed to implement as they see fit.

-Robert 

I have a similar problem. I want to differentiate some alerts sent by an appliance, by the subnet that's generating the alert, so that if the alert comes from let's say 172.29.10.0/24 i want some recipients to receive the e-mails, but if the subnet is 172.29.20.0/24 i want ESA to modify the recipient and send it to other recipients. The ip addresses are in the message body of the e-mail sent to the ESA.

 

I added a content filter which looks into the mail body for specific expression: only-body-contains("Computer IP: 172.29.10.", 1)  and if it matches condition should take action to change recipient and send it further..

 

But somehow it doesn't work.

What i did wrong? What do i miss?

 

Thanks!

Ionut