Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2078
Views
0
Helpful
2
Replies

IronPort content filter processing on missing Other Headers

Go to solution
Conlan
Level 1
Level 1

‎03-20-2022 07:27 PM - edited ‎03-20-2022 07:31 PM

Hi all.

 

I’m looking for some guidance on better understanding how an IronPort content filter will process a Other Header when it is not present or missing in a message.

 

I’m new to the IronPort devices and busy becoming familiar with them.

 

I cannot seem to find anything in my searches, so I am hoping someone can point me in the right direction. It may be because I am not very familiar with these devices and have not used the correct search terms.

 

I am busy reading through the Administrators guide as well:

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01010.html

 

but so far no joy.

 

I will continue to look, but in the mean time also posting in this forum.

 

My question is:

 

How does a content filter act on a message in a scenario where it looks for a specific Other Header, but the Other Header does not exist or is missing?

 

Example below:

 

 

Content filer name: Check_For_Email_Footer

Conditions:

Apply Rule: Only if all conditions match

 

Condition 1 [check sender is not test@example.com]:

Envelope Sender: mail-from != “^test@example.com$

 

 

Condition 2 [check for Other Header called Footer_Exists with a value of not true]:

Other Header

Header name: Footer_Exists

Rule 1: header(“Footer_Exists”) != “^true$”

 

 

Actions [add a disclaimer footer to the message]:

Action: Add Disclaimer Text

Rule: add-footer(“Email_Footer”)

 

 

From my research, if a message from user@example.com contains the Other Header Footer_Exists with a value of anything other than “true”, the Add Disclaimer Text Email_Footer action will be applied to the message based on the content filters Apply Rule setting.

 

In this case all the conditions matched, so the Action Add Disclaimer Text Email-Footer action was performed on the message.

 

What happens to a message sent from user@example.com which is missing the Other Header Footer_Exists?

 

The content filter will match on condition 1, but what happens when it tests condition 2?

 

Condition 2 checks for the Other Header, but when it is unable to find it, will the check return a “no-match” and not perform the Add Disclaimer Text Email_Footer action on the message?

 

In this case, not all the condition checks return a match, so the Add Disclaimer Text Email_Footer action is not applied to the message based on the content filters Apply Rule setting.

 

 

OR

 

Condition check 1 returns a match.

 

Condition 2 check: cannot find the Other Header Footer_Exists, so ignores this check because it cannot perform an evaluation, and performs the Add Disclaimer Text Email_Footer action.

 

In this case only condition check 1 was able to be evaluated, returning a “match”. Condition 2 check was ignored because an evaluation could not be made because there was no Other Header Footer_Exists . All conditions that were able to be evaluated were a match, so the Add Disclaimer Text Email_Footer action is applied to the message based on the content filters Apply Rule setting.

 

OR

 

Is there a different way that the content filter is evaluated that is not the same as I have outlined above?

 

My goal here is to better understand the processing of the content filters in scenarios such as this.

 

Thanks for your time.

 

Best regards.

 

Conlan.

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎03-21-2022 06:25 AM

Hey Conlan, 

FYI, you posted this to Web Security, and you probably wanted it in Email security. 

 

I honestly don't remember if it stops processing when it hits a condition that makes the whole thing evaluate to true, or if it processes them all first and then figures it out...

 

I do know that if the second condition, where you're testing a header, and the header doesn't exist is going to evaluate to false... e.g. can't prove your test is true, so it must be false. 

 

So if you're requiring that all conditions match, they won't, and the header won't be added. 

 

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ken Stieers
VIP
VIP

‎03-21-2022 06:25 AM

Hey Conlan, 

FYI, you posted this to Web Security, and you probably wanted it in Email security. 

 

I honestly don't remember if it stops processing when it hits a condition that makes the whole thing evaluate to true, or if it processes them all first and then figures it out...

 

I do know that if the second condition, where you're testing a header, and the header doesn't exist is going to evaluate to false... e.g. can't prove your test is true, so it must be false. 

 

So if you're requiring that all conditions match, they won't, and the header won't be added. 

 

 

 

 

0 Helpful

Go to solution
Conlan
Level 1
Level 1

‎03-21-2022 02:48 PM

Thanks Ken

 

In a way, that makes sense to me. Almost as if there is an implicit "False" on any condition that cannot be tested or evaluated for some reason.

 

I must confess, I did not consider the e-mail forum. My thought process was along the lines of the IronPort name and ESA [E-mail Security Appliance] sounded like security to me. Next time I'll post there

 

Best regards.

 

Conlan.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents