Confusing about Message filter and Content filter

jackytime_ironport · ‎06-17-2008

I have a message filter do quarantine action:

badbody: if body-dictionary-match("badbody", 1) {
             quarantine ("Policy");
             deliver();
}

also I write a content filter 'good' to see what spams are missed by Ironport Antispam:

 Conditions (only if all conditions match):
    header("X-IronPort-Quarantine") != "^Policy$" 
    header("X-Spam-flag") != "^(?i)YES$"
    
  Action:
    duplicate-quarantine ("good")
    deliver()

I think these two rules could not occur both, because the filter badbody had sent the spam to quarantine 'Policy',
there's no possible to dumplicate to qurantine 'good'.
But it happens:

Tue Jun 17 18:52:55 2008 Info: New SMTP ICID 26146919 interface InNet (10.68.2.161) address 61.135.132.136 reverse dns host websmtp.sohu.com verified no
Tue Jun 17 18:52:55 2008 Info: ICID 26146919 ACCEPT SG ICP match .sohu.com SBRS 5.5
Tue Jun 17 18:52:55 2008 Info: Start MID 10698519 ICID 26146919
Tue Jun 17 18:52:55 2008 Info: MID 10698519 ICID 26146919 From: <mia_kma3998>
Tue Jun 17 18:52:55 2008 Info: MID 10698519 ICID 26146919 RID 0 To: <swordhuihui>
Tue Jun 17 18:52:55 2008 Info: MID 10698519 Message-ID '<10849536>'
Tue Jun 17 18:52:55 2008 Info: MID 10698519 Subject '=?GB2312?B?1Pa807z7zsU=?='
Tue Jun 17 18:52:55 2008 Info: MID 10698519 ready 1452582 bytes from <mia_kma3998>
Tue Jun 17 18:52:56 2008 Info: MID 10698519 matched all recipients for per-recipient policy DEFAULT in the inbound table
Tue Jun 17 18:52:56 2008 Info: MID 10698519 was too big (1452582/102400) for scanning by CASE
Tue Jun 17 18:52:56 2008 Info: Start MID 10698528 ICID 0
Tue Jun 17 18:52:56 2008 Info: MID 10698528 was generated based on MID 10698519 by duplicate-quarantine filter 'good'
Tue Jun 17 18:52:56 2008 Info: MID 10698528 ICID 0 From: <mia_kma3998>
Tue Jun 17 18:52:56 2008 Info: MID 10698528 ICID 0 RID 0 To: <swordhuihui>
Tue Jun 17 18:52:56 2008 Info: MID 10698528 ready 1452584 bytes from <mia_kma3998>
Tue Jun 17 18:52:56 2008 Info: MID 10698528 quarantined to "good" (duplicated by content filter:good)
Tue Jun 17 18:52:56 2008 Info: MID 10698519 quarantined to "Policy" (message filter:flg1)
Tue Jun 17 18:52:59 2008 Info: ICID 26146919 close

The log shows the quarantine action of message filter take effect after the content filter action. I'm quite confused.
Any suggestion?

kluu_ironport · ‎06-17-2008

The original message was marked to go to the "Policy" system quarantine via the message filter. However, that message continues through the email pipeline. If no other action affects that message(i.e. dropped by Sophos anti-virus), then the system will move the message to the "Policy" quarantine as originally marked.

However, in your case, the message was marked to be sent to the "Policy" system quarantine, and then it matched your content filter and did two things:

1. spawned a copy of the original message and sent this new one to the "good" system quarantine. (see MID 10698528)

2. the original copy was left alone and this one was sent to the "Policy" quarantine. If you had a drop() action, then it would have gotten dropped and you would have been left with the single copy from #1 (see MID 10698519)

What was the intended behavior you were trying to achieve?

Here are some references that may help:

1. Where can I see a diagram of the IronPort email pipeline?

You can find a diagram of the queue sequence if you click on the Help
link in the top right of the web interface - it takes a while for it to
load. Find the section "Understanding the Email Pipeline" and then
under that "Overview: Email Pipeline".

jackytime_ironport · ‎06-18-2008

Thanks a lot, kluu

I take for granted message filter always action before content filter. Now i see.
Thanks very much. I rewrite the message filter, it seems ok now:

badbody: if body-dictionary-match("badbody", 1) {
             insert-header("X-IronPort-Quarantine", "Policy");
             insert-header("X-Spam-flag", "YES");
             skip-spamcheck();
             deliver();
         }