Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Content filter on Cisco Email Security Virtual Appliance

Dear friend.

 

I have problem with Content Filter when configure Cisco Security Virtual Appliance.

You can see my rule on attachment picture.

But when I sent an email with subject : "RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint", it's block by Content Filter "DenySubject"

I'm sure that in my Dictionary doesn't contains any word from this Subject.

Capture 3 is captured in Policy Quarantine.

Please help me to solve it asap.

 

Thanks so much.
Vinh Phan

3 REPLIES
Cisco Employee

I get the same results, using

It is not an issue with the virtual ESA.  Using my vESA, I get the same results, using your "denysubject.txt" for custom dictionary...

Tue Jun 10 22:53:37 2014 Info: ICID 96 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Jun 10 22:53:37 2014 Info: Start MID 58 ICID 96
Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 From: <robsherw.cisco@gmail.com>
Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 RID 0 To: <robsherw@cisco.com>
Tue Jun 10 22:53:37 2014 Info: MID 58 Message-ID '<756BCAF2-2883-416D-BBA2-D0997B70E8F3@gmail.com>'
Tue Jun 10 22:53:37 2014 Info: MID 58 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
Tue Jun 10 22:53:37 2014 Info: MID 58 ready 7764 bytes from <robsherw.cisco@gmail.com>
Tue Jun 10 22:53:37 2014 Info: MID 58 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Tue Jun 10 22:53:37 2014 Info: MID 58 quarantined to "Policy" (content filter:DenySubject)
Tue Jun 10 22:54:36 2014 Info: ICID 96 close

 

Reviewing the contents --- one line is the culprit:

[NuocVIET], 1

Remove that one entry, and the dictionary works.

 

Tue Jun 10 23:34:19 2014 Info: New SMTP ICID 117 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
Tue Jun 10 23:34:19 2014 Info: ICID 117 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Tue Jun 10 23:34:19 2014 Info: Start MID 91 ICID 117
Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 From: <robsherw.cisco@gmail.com>
Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 RID 0 To: <robsherw@cisco.com>
Tue Jun 10 23:34:19 2014 Info: MID 91 Message-ID '<FE336542-50F7-433B-98AD-AF238F7FFF02@gmail.com>'
Tue Jun 10 23:34:19 2014 Info: MID 91 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
Tue Jun 10 23:34:19 2014 Info: MID 91 ready 4505 bytes from <robsherw.cisco@gmail.com>
Tue Jun 10 23:34:19 2014 Info: MID 91 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
Tue Jun 10 23:34:19 2014 Info: MID 91 queued for delivery
Tue Jun 10 23:34:19 2014 Info: New SMTP DCID 39 interface 172.16.6.165 address 173.37.93.161 port 25
Tue Jun 10 23:34:19 2014 Info: DCID 39 TLS success protocol TLSv1 cipher RC4-SHA 
Tue Jun 10 23:34:20 2014 Info: Delivery start DCID 39 MID 91 to RID [0]
Tue Jun 10 23:34:20 2014 Info: Message done DCID 39 MID 91 to RID [0] 
Tue Jun 10 23:34:20 2014 Info: MID 91 RID [0] Response '2.0.0 s5B3YLna030140 Message accepted for delivery'
Tue Jun 10 23:34:20 2014 Info: Message finished MID 91 done
Tue Jun 10 23:34:25 2014 Info: DCID 39 close

 

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

 

New Member

Dear Robert.Thanks for your

Dear Robert.

Thanks for your answer.

But I want to know why it's block.

As you see, all words in the subject doesn't match [NuocVIET] in Dictionary.

And how can you know [NuocViet] is the cause of this issue.

 

Vinh Phan 

Cisco Employee

The dictionary is treating is

The dictionary is treating is as general python list expression.  You can also \\ comment it out so the [ is read literally...

\\[NuocVIET\\], 1

-Robert

218
Views
5
Helpful
3
Replies