User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Email Security Appliance C680

201

202

203

204

205

206

207

208

209

210

9-40

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 9 Using Message Filters to Enforce Email Policies

Message Filter Rules

The following filter checks the workqueue count, and skips spam check if the queue is greater than the

specified number.

For more information on SPF/SIDF, see Overview of SPF and SIDF Verification, page 20-22.

SMTP Authenticated User Match Rule

If your Cisco appliance uses SMTP authentication to send messages, the smtp-auth-id-matches

(<target> [, <sieve-char>])rule can check a message’s headers and Envelope Sender against the

sender’s SMTP authenticated user ID to identify outgoing messages with spoofed headers. This filter

allows the system to quarantine or block potentially spoofed messages.

The

smtp-auth-id-matches rule compares the SMTP authenticated ID against the following targets:

The filter performs matches loosely. It is not case-sensitive. If the optional sieve-char parameter is

supplied, the last portion of an address that follows the specified character will be ignored for the

purposes of comparison. For example, if the

+ character is included as a parameter, the filter ignores the

portion of the address

joe+folder@example.com that follows the + character. If the address was

joe+smith+folder@example.com, only the +folder portion is ignored. If the SMTP authenticated user

ID string is a simple username and not a fully-qualified e-mail address, only the username portion of the

target will be examined to determine a match. The domain must be verified in a separate rule.

Also, you can use the $SMTPAuthID variable to insert the STMP authenticated user ID into headers.

The following table shows examples of comparisons between the SMTP authenticated ID and email

addresses and whether they would match using the

smtp-auth-id-matches filter rule:

wqfull:

if (workqueue-count > 1000) {

skip-spamcheck();

}

Target Description

*EnvelopeFrom Compares the address of the Envelope Sender (also known

as MAIL FROM) in the SMTP conversation

*FromAddress Compares the addresses parsed out of the From header.

Since multiple addresses are permitted in the From:

header, only one has to match.

*Sender Compares the address specified in the Sender header.

*Any Matches messages that were created during an

authenticated SMTP session regardless of identity.

*None Matches messages that were not created during an

authenticated SMTP session. This is useful when

authentication is optional (preferred).

SMTP Auth ID Sieve Char Comparison Address Matches?

someuser otheruser@example.com No

someuser someuser@example.com Yes