Re: Dislaimer for all outgoing mails, excepting some domains?

Pat_ironport · ‎01-03-2008

I'm still trying to add a Disclaimer to all outgoing mails. Actually, I need some help to add such a Disclaimer to nearly all outgoing mails, excepting some specific domains and for the right syntax:

I know that I can add a message filter with the action 'add-footer' through CLI like this:

if (recv listener == "OutboundMail" AND (not only-body-contains ('some unique text from my company disclaimer'),1)

{add-footer('name of previously in GUI added dislcaimer-text');}

else

{ deliver();}

My questions:
a) How can I prevent such a Disclaimer for every recipient in the domain "@company-without-disclaimer.com"?
b) How should I write that for multiple recipient-domains without disclaimer?
c) Is it important to write the listener-name and the disclaimer-name in the above code with ' (single quote) or " (double quotes)?
d) Are the brace brackets {} set correct?
e) Should I enter the entire disclaimer-text for the body-scan? I'm not sure if our actually one is 'unique' - maybe other companies has the same or a very similar one. Should I add multiple parts to looking for? How do you do that?

Thank you for every help in advance!

Donald Nash · ‎01-03-2008

Since you need to apply this policy on a per-recipient basis, this is a job for the Email Security Manager. Use it to define two outgoing policies: a special policy for those domains which are not to have footers added, and a default policy for everyone else. In the default policy, create a content filter that adds your footer. The language used by content filters is the same as the one used by message filters, they're just applied at a later stage in the e-mail pipeline.

Since the Email Security Manager sorts out incoming from outgoing automatically, your script won't need to check the recv-listener. Something like this should do the trick:

if (not only-body-contains('some unique text from my company disclaimer')) 
{
    add-footer('name of previously in GUI added dislcaimer-text');
}

I strongly recommend that you read the "Email Security Manager" chapter of the AsyncOS User Guide.

Pat_ironport · ‎01-04-2008

Thank you for your hint. Could you please give me an advice, how I can enter this script? I can't figure out how to add the NOT-command. :oops:

And could you please tell me something to my other questions c), d) and e)?

Donald Nash · ‎01-04-2008

I can't figure out how to add the NOT-command.

It works for me as written in my previous example.

And could you please tell me something to my other questions c), d) and e)?

"C" and "d" are very basic questions documented in the "Message Filters" section of the Advanced User Guide. Single or double quotes are both fine. The curly braces are probably OK as you've written them, but putting whitespace around them might be necessary (the docs don't say).

As for the disclaimer text, that's hard to get perfect. It depends on your threat model. If you just want to be reasonably well assured that it gets put in, then pick out some bit of the disclaimer that is unlikely to appear elsewhere and check for that. But if you want to make sure that your own people can't spoof the process by embedding that bit in a message in order to avoid getting the disclaimer (not a likely threat in my opinion), then you'd need to check for the whole thing. Depending on how long it is, it might be safer to check for it piecemeal rather than all at once. I really can't say since I've never tried this. Or you could just add the footer unconditionally. At worst, you'd only end up with multiple instances of the footer in some messages, and it would only be in those messages which pass through your ESA more than once.