I've found that my issue is that from the CLI I'm configuring a specific device, from the gui where my whitelist sits, I'm configuring the cluster.  In this case I don't see how to do a whitelist in the cli for a device and I've been unable to successfully create this flter in the gui for the cluster.

The version of AsyncOS is 7.6.2-014

Here is one of the cli/device filters:

Form-phishing: if body-contains("(?i)(?:http?|https?)://[^\\s\"]+viewform", 1)

{

                   notify-copy ("admin@co.com ", "Ironport Phishing-Viewform");

                   drop();

}

When in the CLI, you need to be in cluster mode.  From the prompt, type "clustermode" and select the configuration mode for the subsequent changes.

Hope that helps.

Hello The Messenger,

the message filters (the ones you create on the CLI) are located before the mail policies, a message will pass them right auf injection. Thus you cannot whitelist those filters in your content filter, which come much later in the mail process. My question now would be what the reason is why you are using message filters (CLI) after all? The reason why I ask is because the sampe filter you are showing does not use a specific message filter feature, thus could be implemented in the GUI (content filters) as well.

Regards,

Andreas

This is what I thought to be true.  The reason the filter is in the cli is that I wasn't able to get it to work in the GUI.  I'm going to look at that again now.

So, what am I doing wrong here?

To create this filter in the web interface I create new filter, select Add Condition, Message Body and past

"(?i)(?:http?|https?)://[^\\s\"]+viewform", the system adds quotes and \, to be this;

only-body-contains("\"(?i)(?:http?|https?)://[^\\\\s\\\"]+viewform\"", 1).

The filter does not drop links with viewform in them.