Add a content filter to "Spam Quarantine" or allow users in extra quarantine

Answered Question
Aug 6th, 2010

I hope the title covers what I want.

I'll explain a bit more though.

I have a list of keywords I want to block and quarantine.

So I made a dictionary, added a Content filter to add the list to and action it to put it in a quarantine.

BUT, the only Quarantine I can select is a quarantine I added myself.

My users cannot log into this quarantine

So how can I allow my users to see inside this quarantine or how can I make this filter put it's mails in the default "Spam Quarantine" that users are allowed in (by LDAP)

Thanks in advance

I have this problem too.
0 votes
Correct Answer by Martin Eppler about 6 years 5 months ago

Hello Patrick,

I'm afraid this will not work the way you try it. You are quarantining a message based on a Content Filter (so for Policy reasons) and this one will therefore show up in a System Quarantine (Policy Quarantine). Per system design System Quarantines (Virus Quarantine and Policy as well as any custom configured quarantine) are not end user facing and are only accessible for system administrators or entitled user groups (e.g. helpdesk users).

The only way I could think of would be to use a message filter on the CLI instead of a Content Filter on the GUI. This filter is then supposed to flag the message for spam quarantine rather than quarantining it directly. When inserting the ''X-IronPort-Quarantine' header with any value, the message will be flagged for the spam quarantine. Please ensure that Anti-Spam scanning is then skipped for these messages as well to avoid confusion when using this header.

This header insert has to be done with a message filter as Content Filter are processed at a later stage in the Mail Pipeline.

Hope this helps. if not, please let me know.

Thanks and regards,

Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Martin Eppler Fri, 08/06/2010 - 07:22

Hello Patrick,

I'm afraid this will not work the way you try it. You are quarantining a message based on a Content Filter (so for Policy reasons) and this one will therefore show up in a System Quarantine (Policy Quarantine). Per system design System Quarantines (Virus Quarantine and Policy as well as any custom configured quarantine) are not end user facing and are only accessible for system administrators or entitled user groups (e.g. helpdesk users).

The only way I could think of would be to use a message filter on the CLI instead of a Content Filter on the GUI. This filter is then supposed to flag the message for spam quarantine rather than quarantining it directly. When inserting the ''X-IronPort-Quarantine' header with any value, the message will be flagged for the spam quarantine. Please ensure that Anti-Spam scanning is then skipped for these messages as well to avoid confusion when using this header.

This header insert has to be done with a message filter as Content Filter are processed at a later stage in the Mail Pipeline.

Hope this helps. if not, please let me know.

Thanks and regards,

Martin

P.Dijkshoorn Tue, 08/10/2010 - 07:54

Oh wow I'm far from familiair enough yet to go and experiment with the CLI.

It would seem a "normal" option to expect, but I guess it isn't.

I now made a extra action to inform the users there was a msg put in that quarantine and have them forward to me if it was a false positive.

It kinda goes beyond the purpose of it, but I hope it's just for time of tuning the extra filter.

Thanks for thinking with me!

Martin Eppler Mon, 08/16/2010 - 02:00

Hello Patrick,

thanks of ryour feedback. I know that message filters at a first glance look overly complicated and I agree that they can get very complex as well. But this is required to make them as powerful as they are now. When you look for an option that cannot be configured using a Content Filter, then I'd always recommend to review if a message filter could do waht you're looking for. The Advanced Configuration Guide has a lot of samples in it and once you have understood the syntax of a message filter it's also easier to deal with them :-)

Regarding the false positives. If you would like to submit them to the Anti-Spam team ([email protected] or [email protected]) please do not ask the end users to just forward them to you. Inline Forwarding from most mail clients destroy the original message headers which will mean that a later submission to the Anti-Spam team is not reflecting the original smapm/ham message and has to be ignored.If possible, install the end user plugins and ask them to submit the samples directly. The plugin is available for Outlook and Notes and requires only HTTPs access to the internet for the submission.

Thanks and regards,

Martin