Competencias emocionales: identificación y

Select Mail Delivery ➝ Content Management, and then select Pattern Filters (PBMF) on the menu.

The pre-defined PBMF rules are provided as examples on how rules are to be created and can be deleted if not needed without any repercussions.

Click the Add button to add a new pattern to the filter list.

Select the direction of mail for the PBMF rule in the Apply To field, such as All Mail, Inbound, or Outbound, depending on your requirements.

• All Mail — Mail destined for any domain.

• Inbound mail — Any mail that is destined to a domain that the ePrism is configured to accept mail for. This will be any domain listed in the Mail Routing table in Mail Delivery ➝ Routing ➝ Mail Routing.

• Outbound mail — Mail destined to any domain that the ePrism is not configured to accept mail (every domain other than those configured in Mail Routing.)

"Trusted" mail has no bearing on the Inbound/Outbound relationship.

Select the Message Part you want to filter on. ePrism allows you to filter on the following parameters:

Message Envelope Parameters

These parameters will not be visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them.

• <<Mail Envelope>> — This parameter allows for a match on any part of the message envelope which includes the HELO, Client IP and Client Host.

• HELO — This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. Example: mail.example.com.

116

• Client IP — This field will be accurately reported and may be reliably used for both blocking and trusting. It is the IP address of the system initiating the SMTP connection. Example:

192.168.1.200.

• Client Host — This field will be accurately reported and may be reliably used for both blocking and trusting. Example: mail.example.com.

The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be visible if your client supports reading the message source. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client.

• Envelope Addr — This matches on either the Envelope To or Envelope From. These fields are easily faked, and are not recommended for use in spam control. They may be useful in trusting a source of mail. Example: [email protected].

• Envelope To — This field is easily faked, and is not recommended for use in spam control.

It may be useful in trusting a source of mail. Example: [email protected].

• Envelope From — This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. Example: [email protected].

Message Header Parameters

Spammers will typically enter false information into these fields, except for the Subject field, and they are usually not useful in controlling spam. These fields may be useful in trusting certain users or legitimate source of email.

• <<Mail Header>> — This parameter allows for a match on any part of the message header.

• <<Recipient>> — This parameter matches the To: or CC: fields.

• CC:

There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions (described below) to specify these.

Message Body Parameters

• <<Raw Mail Body>> — This parameter allows for a match on any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content.

• <<Mail Content>> — This parameter allows for a match on the visible decoded message body.

117 Pattern Based Message Filtering (PBMF)

STA (Token Analysis) Token

Bulk Analysis tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible HTML text comments, which would not be caught by a normal pattern filter. For example, Token Analysis extracts the token "viagra" from the text "vi<spam>ag<spam>ra" and

"v.i.a.g.r.a.".

Attachment Scanning

Pattern based message filters can be defined to match the content of an entire mail message, including attachments. This type of PBMF is used with the Attachment Content Scanning feature. See “Attachment Content Scanning” on page 106 for more information on scanning attachments.

Match Option

Matching looks for the specified text in each line. You can specify one of the following:

• Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.

• Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)

• Matches — The entire line or field must match the text.

• Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)

• Reg Exp — Enter a regular expression to match the text.

Pattern

Enter a text pattern (case insensitive) to search for in the message.

You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions.

For example, to search for a "blank" message field, use the following regular expression:

^subject:[[:blank:]]*$

Although the Regular Expression feature is supported, St. Bernard cannot help with devising or debugging Regular Expressions because they have an infinite variety and can be very complex.

Using Regular Expressions is not recommended unless you have advanced knowledge of their use.

118

Priority

Select a priority for the filter (High, Medium, Low). The entire message is read before making the decision. If a message matches multiple filters, the filter with the highest priority will be used.

If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest (Bypass, Reject, Discard, Quarantine, Certainly Spam, Archive, Redirect, Trust, Relay, Accept, Just log).

Discard, Quarantine, and Redirect are actions available when creating a custom PBMF action in the PBMF preferences screen.

If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used.

Action

When a rule has been triggered, the specified action is performed:

• Bypass — Allow this message to bypass all Intercept anti-spam and Content Management (Attachment Control, Malformed Message and OCF) processing. This action will override other PBMF actions for the same priority.

This action does not bypass Anti-Virus scanning.

• Trust — This mail is considered trusted and from a legitimate source. This message will not be processed for spam.

• Reject — Mail is received, then rejected before the close of an SMTP session. Message is trained for spam if "Train" is also selected.

• Relay — Relay is enabled for this mail and the message is considered trusted for anti-spam scanning purposes. Message will be trained as legitimate mail if "Train" is also selected.

• Accept — Mail is accepted and delivered as per normal operation. Message is trained as legitimate mail if "Train" is also selected.

• Certainly Spam — Mail is received, trained as spam, and then the Intercept action for

"Certainly Spam" is applied.

• Just Log — Take no action, but log the occurrence. "Just Log" can be used to override other lower priority PBMFs to test the effect of PBMFs without an action taking place.

• BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC email address set up in the Preferences section.

• Do Not Train — Do not use the message for Token Analysis training purposes.

• Configurable Actions — There are several configurable actions that can be defined by the administrator by clicking the Preferences button. When defined, these actions will appear in this list.

• Encrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝ Encryption menu.

• Decrypt — Redirects the message to the Encryption server specified in the Mail Delivery ➝ Encryption menu.

• Archive (High, Medium, Low) — Redirects the message to an archiving server specified in the Mail Delivery ➝ Archiving menu.

The "Relay" or "Trust" action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction.

119 Pattern Based Message Filtering (PBMF)