Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Content Dictionary - Negative Weighting

I am using a dictionary and content filter to find emails that contain certain terms such as: account number, member number, etc..

I am running into an issue where I have a particular email that has a WORD document that contains the following line:

account number is 123456


Now I don't want this to trigger my filter (because the account number is obviously not legitimate)

In my content dictionary I have the following lines

account number is \d+ Weight of 8
account number is 123456 Weight of 1

Unfortunately I am getting two hits on the dictionary for a total weight of 9, instead of the weight I want which is 1.

Is there any possible way to do negative weight in IronPort. For example:

account number is \d+ Weight of 8
account number is 123456 Weight of -8

Now, the one dictionary entry will cancel out the other. This also gives me the benefit of still getting hits on other items in the dictionary.

Is this possible with IronPort?

2 REPLIES
New Member

Re: Content Dictionary - Negative Weighting

Unfortunately you cannot use negative wights for your dictionary, so I am afraid your approach will not work.
If the message that has this Word document is recurring, you may consider creating a separate mail policy for it where the content filter with the dictionary is not enabled.

New Member

Re: Content Dictionary - Negative Weighting

account number is \d+            Weight of 8
account number is 123456 Weight of 1


You can use the following line in your dictionary:

account number is (?!123456)\d+

This will match the phrase "account number is" followed by a number that is not "123456".

331
Views
0
Helpful
2
Replies