User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Email Security Appliance C680

181

182

183

184

185

186

187

188

189

190

9-19

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 9 Using Message Filters to Enforce Email Policies

Message Filter Rules

Regular Expression and Non-ASCII Character Sets

In some languages, the concepts of a word or word boundary, or case do not exist.

Complex regular expressions that depend on concepts like what is or is not a character that would

compose a word (represented as “

\w” in regex syntax) cause problems when the locale is unknown or if

the encoding is not known for certain.

n Tests

Regular expressions can be tested for matching using the sequence == and for non-matching using the

sequence

!=. For example:

Case-sensitivity

Unless otherwise noted, regular expressions are case-sensitive. Thus, if your regular expression is

searching for

foo, it does not match the pattern FOO or even Foo.

Writing Efficient Filters

This example shows two filters that do the same thing, but the first one takes much more CPU. The

second filter uses a regular expression that is more efficient.

rcpt-to == "^goober@dev\\.null\\....$" (matching)

rcpt-to != "^goober@dev\\.null\\....$" (non-matching)

attachment-filter: if ((recv-listener == "Inbound") AND

((((((((((((((((((((((((((((((((((((((((((((((attachment-filename ==

"\\.386$") OR (attachment-filename == "\\.exe$")) OR (attachment-filename == "\\.ad$"))

OR (attachment-filename == "\\.ade$")) OR (attachment-filename == "\\.adp$")) OR

(attachment-filename == "\\.asp$")) OR (attachment-filename == "\\.bas$")) OR

(attachment-filename == "\\.bat$")) OR (attachment-filename == "\\.chm$")) OR

(attachment-filename == "\\.cmd$")) OR (attachment-filename == "\\.com$")) OR

(attachment-filename == "\\.cpl$")) OR (attachment-filename == "\\.crt$")) OR

(attachment-filename == "\\.exe$")) OR (attachment-filename == "\\.hlp$")) OR

(attachment-filename == "\\.hta$")) OR (attachment-filename == "\\.inf$")) OR

(attachment-filename == "\\.ins$")) OR (attachment- filename == "\\.isp$")) OR

(attachment-filename == "\\.js$")) OR (attachment-filename == "\\.jse$")) OR

(attachment- filename == "\\.lnk$")) OR (attachment-filename == "\\.mdb$")) OR

(attachment-filename == "\\.mde$")) OR (attachment-filename == "\\.msc$")) OR

(attachment-filename == "\\.msi$")) OR (attachment-filename == "\\.msp$")) OR

(attachment-filename == "\\.mst$")) OR (attachment-filename == "\\.pcd$")) OR

(attachment-filename == "\\.pif$")) OR (attachment-filename == "\\.reg$")) OR

(attachment-filename == "\\.scr$")) OR (attachment-filename == "\\.sct$")) OR

(attachment-filename == "\\.shb$")) OR (attachment-filename == "\\.shs$")) OR

(attachment-filename == "\\.url$")) OR (attachment-filename == "\\.vb$")) OR

(attachment-filename == "\\.vbe$")) OR (attachment-filename == "\\.vbs$")) OR

(attachment-filename == "\\.vss$")) OR (attachment-filename == "\\.vst$")) OR

(attachment-filename == "\\.vsw$")) OR (attachment-filename == "\\.ws$")) OR

(attachment-filename == "\\.wsc$")) OR (attachment-filename == "\\.wsf$")) OR

(attachment-filename == "\\.wsh$"))) { bounce(); }