Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

X1070 Content Filter

We have a content filtering configuration to check emails for certain account numbers. It's working great the only bad thing is sometimes it finds what it thinks is account numbers in HTML or XML code. This is random but annoys several of our customers. Is there a way to fine tune the filter some how to prevent this from happening? What we've been doing as a work around is saving docs with out XML or sending emails in plain text.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

The Filter should be as

The Filter should be as precise as possible for your situtaion.  Without specific details, I can only generalize:

 

- If there is a pattern to the Account Numbers (i.e. always starts with A), use that information to build the most specific RegEx possble.

- If the Account Number is alwys paired with supporting data like names or birth dates, look for that supporting data in the Filter too.

- If the Account Number should have spaces or non-word charcaters around it (example: #12345) around it, /W to the search string to enforce 'word boundries'.

 

When building your search string, I find it very helpful to have a reference handy for Regular Expressions so you can review all your options.  Here is my personal favorite:

 

http://www.regxlib.com/CheatSheet.aspx

 

 

I hope this helps!

- Jackie

3 REPLIES
Cisco Employee

The Filter should be as

The Filter should be as precise as possible for your situtaion.  Without specific details, I can only generalize:

 

- If there is a pattern to the Account Numbers (i.e. always starts with A), use that information to build the most specific RegEx possble.

- If the Account Number is alwys paired with supporting data like names or birth dates, look for that supporting data in the Filter too.

- If the Account Number should have spaces or non-word charcaters around it (example: #12345) around it, /W to the search string to enforce 'word boundries'.

 

When building your search string, I find it very helpful to have a reference handy for Regular Expressions so you can review all your options.  Here is my personal favorite:

 

http://www.regxlib.com/CheatSheet.aspx

 

 

I hope this helps!

- Jackie

New Member

Here is an example of the

I have done some more testing and this email sends fine in plain text. When I send it using HTML enable it gets flagged as having a SSN and encrypts the message. The issue seems to be in the HTML code. I doubt there is a way to tell Ironport when scanning the email exclude HTML and XML code. I've tried deleting each of the lines then sending the email to find out which ones are causing the encryption. It seems to be a combination of using the bullets with other formatting. I'm kind of stumped on this one. I'm not sure how to resolve this without telling the person to send the email in plain text.

Cisco Employee

Can you search for a 9 digit

Can you search for a 9 digit SSN-like pattern in the html, including the title? i've seen URLs with a 9 digit code trigger the filter you mention

48
Views
10
Helpful
3
Replies