Message filters vs Content Filters

kluu_ironport · ‎05-15-2008

Differences:

1. Message filters occur earlier in the email pipeline than content filters. Message filters before the email goes into the workqueue. The content filters occur inside the workqueue.

2. Message filters are currently only administered from the command line. Content filters can be administered from both the CLI and the GUI interface, however, the GUI interface is the recommended mehtod.

3. Content filters have an inbound and an outbound set of content filters, depending upon the direction of the message. That is, whether it's a relayed email (outgoing content filters) or inbound mail(inbound content filters). Message filters on the other hand, are autmoatically applied to both inbound and outgoing traffic, unless you lock it down to a specific listener. If you only have one listener, you may need to differentiate your flow of traffic by sendergroups or something else.

4. Message filters and content filters can pretty much have the same conditions and actions. However, message filters allow for if-else conditions, so they are more robust.

5. You can use message and content filters in unison. For example, use a message filter to insert a custom header that you content filter can key off of. However, this does not work the other way around. You cannot insert a custom header in the content filter and have the message filter key off of that info. Due to the way the email pipeline is set up, message filters come first, then content filters.

6. Easy of use: content filters are a bit more intuitive and user-friendly. message filters are more advanced, so it has a bigger learning curve.

7. Content filters used with customized incoming or outgoing mail policies allow you to splinter messages. Splintering messages allow you to split messages up by recipients. Message filters don't allow splintering and are applied to the entire message.

AsyncOS User Guide: Content Filters Overview

https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_User_Guide/AsyncOS_4.6_User_Guide-12-3.html

AsyncOS User Guide: Message Filters

https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_Adv_User_Guide/AsyncOS_4.6_Adv_User_Guide-09-2.html

AsyncOS User Guide: Email Pipeline

https://support.ironport.com/docs/c_series/4.6/HTML_4.6_Compilation/AsyncOS_4.6_User_Guide/AsyncOS_4.6_User_Guide-09-2.html

Doc_ironport · ‎05-16-2008

You've missed one of the biggest differences...

Message filters act on a _message_. Content filters act on a message/recipient pair.

If a message is only going to a single person then there's not any difference, but if a message is addresses to multiple people then the message filter will take the same action for all recipients, whilst the content filter will split ("splinter") the one message into multiple messages, with one (or possibly more) recipients each, and then act on each individually.

kluu_ironport · ‎05-16-2008

Actually, I just did a test on this and your point is half correct.

It's not the content filter that does the splintering, it's either the incoming or outgoing mail policy that does the splintering.

For example, if you only have one Default outgoing policy and an outgoing content filter that drops the mail if the destination is @yahoo.com.

If you sent in a test email with two recipients: jsmith@yahoo.com and bstone@gmail.com

Then the entire message would get dropped since there was only one Default outgoing policy.

--------------

However, you can allow for splintering if you had additional custom policies.

For example,

1. gmail-recipients
2. yahoo-recipients
3. Default policy

In that case, your test email would split into two separate emails and then you could have the content filters apply to each separately.

------------------

You are correct that message filters apply to the entire message and does not allow for message splintering.

However, content filtering, message splintering is only applicable if you have additional custom policy, either inbound or outgoing.

So, in additional to the requirement of mutliple recipients, you also need multiple policies, otherwise, have multiple recipients and only one Default policy will affect the entire message also.

Thanks for the attention to detail.

You've missed one of the biggest differences...

Message filters act on a  _message_.  Content filters act on a message/recipient pair.

If a message is only going to a single person then there's not any difference, but if a message is addresses to multiple people then the message filter will take the same action for all recipients, whilst the content filter will split ("splinter") the one message into multiple messages, with one (or possibly more) recipients each, and then act on each individually.

kluu_ironport · ‎05-16-2008

By the way, I've updated the message filters vs content filters differences with an additional point.

7. Content filters used with customized incoming or outgoing mail policies allow you to splinter messages. Splintering messages allow you to split messages up by recipients. Message filters don't allow splintering and are applied to the entire message.

Donald Nash · ‎05-18-2008

Message filters before the email goes into the workqueue.

That's not what the documentation says. Message filters happen in the work queue, after LDAP processing but before anything else. Content filters happen near the end of the work queue, with only VOF remaining.

A consequence of this difference is that message filters can affect anti-spam and anti-virus filtering, while content filters cannot.

4.  Message filters and content filters can pretty much have the same conditions and actions.  However, message filters allow for if-else conditions, so they are more robust.

Message filters also allow arbitrary boolean expressions in their conditions, while content filters are limited to "any condition matches" or "all conditions match".

shannon.hagan · ‎05-19-2008

Another difference - you can get reports on content filters but not message filters :-(

Erich_ironport · ‎05-19-2008

I would have to disagree with the "pretty much" part of #4...

"4. Message filters and content filters can pretty much have the same conditions and actions. However, message filters allow for if-else conditions, so they are more robust."

I would change it to the follow and include Don's comment.

4. Content filters have a subset of the most commonly used conditions and actions available in message filters. Message filters allow for if-else conditions, arbitrary Boolean expressions in their conditions, while content filters are limited to "any condition matches" or "all conditions match".

- Erich

jhead_ironport · ‎03-02-2009

You talk about being able to splinter a message but how is it actually configured?

I need to splinter BCC messages but I do not see anyway of doing that with a Content Filter or Policy?

kluu_ironport · ‎03-02-2009

Splintering a BCC is difficult because the BCC field doesn't exist or show up in the Internet headers.

For example, let's say you compose a birthday invitation to 100 of your friends and add add everyone in the BCC field except for you own email address, which you add to the To: field.

When it arrives on the ESA machine, you see all 100 people in the rcpt-to field but when you examine the Internet headers, only the To: field shows up.

The only way you could get a definitive count or list of who's in the BCC field is if you can compare all the rcpt-to (envelope recipients) to the To/CC field found in the Internet header, and I don't think the AsyncOS can differentiate that.

Here's an example of what I mean by splintering:

If you send an email to a friend at Yahoo and a friend at Gmail.

You can have a content filter/outgoing mail policy that adds a unique footer to Yahoo and a different footer to Gmail.

jhead_ironport · ‎03-02-2009

I kind of thought it would be difficult to accomplish.

What I am facing is one of the groups at our company sends out an email and BCCs everyone. They do this because it is to our clients and they want to keep the address' hidden from other clients for privacy reasons.

I understand there is not standard for splintering BCC messages but I was hoping there was a way to accomplish this with the IronPort.

kluu_ironport · ‎03-02-2009

Yeah, it's difficult to differentiate between the header("To/CC") field and the rcpt-to fields.

One thing you can do is this:

Let's say for example you're sending out a birthday invitation to 100 people, but only list a single email in the header('To') field.

The 100 people should be found in this variable: $EnvelopeRecipients

The person in the To field, should be stored in the header('To') field.

Though that info is there, the AsyncOS is currently not able to do a comparison between those two variables. You can try to store in a notification email and see if you can make use of it.

Good luck.

Jason Meyer · ‎03-09-2009

This conversation thread is GREAT. I bow down to the knowledge held by these IronPort Nation VIPs! Long live the nation!