Message Filter Help

Unanswered Question
Jun 25th, 2008

Guys

I need some help setting up a message filter.

I work for a Global Company, but manage the IronPort Appliances for the UK which processes all the emails for our UK based companies.

Emails coming to the staff within our company however are routed through a number of appliances in our head office. Our head office process mails for our company all over the world, and hence due to the various different laws regarding stopping and deleting of e-mails the configuration of those IronPort’s are fairly open.

I can't get visibility of the Exact configuration of their IronPort’s but I know that the HAT Limit for discarding connections based on the SBRS is set to at least <-4, the CASE Engine is on, but only scanning for Positive Spam and not Suspect Spam.

Therefore as you can imagine we have a issue with Spam messages getting into our Mailboxes.

Therefore I want to setup a Message filter something along the following lines:

Head Office Spam
If recv-listener == "IncomingMail" AND (Mail-from == "*out\\.company\\.internal") (Where out.company.internal is the partial hostname of the head office MTA's)
{
if (Header("X-IronPort-SBRS:")=="<-2.6";
Quarantine("HUB Tagged Spam")
}
else
{
deliver()
}
.

Message Filters are not my strong point, therefore can someone please take a look and tell me if I am on the right track, or am going to cause major problems.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kluu_ironport Wed, 06/25/2008 - 20:08

I tested the one below and it worked for my system.

By the way, I added the hypen (-) in place of the spaces because the system only allows for _ (underscores) or - (hypens, dashes).

Also, for this entry:

mail-from == "*out\\.company\\.internal$"

Instead of *.out.company.internal, I had it look to see if the mail-from ended with that domain using the "$" regular expression, which means "ends with". The Advanced User guide provides detail on this.

If you look at the Advanced User guide, the Policy Enforcement -> Filters section, there is a wealth of information and examples on message filters. The Advanced User Guide PDF can be downloaded from the Support Portal in the Email section.

Also, if you need to test this, I would suggest using the Trace tool from the GUI interface(System Administration > Trace).

Then you can do a test run to see how the message filters would match and what would happen to the email if it actually went through the system.



Head-Office-Spam:
if (recv-listener == "IncomingMail") AND (mail-from == "out\\.company\\.internal$")
{
if (reputation < -2.6 )
{
quarantine("HUB-Tagged-Spam");
}
else
{
deliver();
}
}

Actions

This Discussion