advertisement
Content Control
Content scanning phrase length for credit card pattern filters
The Content Scanning feature has a default phrase length of 3, indicating that the system will only scan up to
3 words of a dictionary phrase. When enabling Credit Card patter filters, the phrase length must be increased to 4 to ensure the credit card filters are scanned properly.
To modify the content scanning phrase length:
1. Select Security > Content Control > Content Scanning .
2. Select the Enable check box.
3. Enter “ 4 ” for the Phrase length .
4. Click Apply .
Configuring pattern filters
To configure pattern filters:
1. Select Security > Content Control > Pattern Filters .
2. Click the Edit View button to see an editable list of the pattern filters.
3. Select the Enable PBMF check box to enable the Pattern Filter feature globally.
Each pattern filter can be individually enabled or disabled.
4. Click Add .
140
5. Select the Enabled check box to enable this pattern filter.
6. Enter a descriptive Name and Comment for the Pattern Filter to be more easily identified in the list of pattern filters and reports.
The name and comment can only consist of letters, numbers, spaces, periods, underscores, and dashes.
7. Select the direction of mail for the Pattern Filter rule in the Apply To field, such as All Mail , Inbound , or Outbound , depending on your requirements.
All Mail — Mail destined for any domain.
Inbound mail — Any mail that is destined to a domain for which the system is configured to accept mail for. This will be any domain listed in the Mail Routing table in Configuration > Mail > Routing .
Outbound mail — Mail destined to any domain for which the system is not configured to accept mail (every domain other than those configured in Mail Routing).
8. Select the Message Part for which to filter.
The system allows you to filter on the following parameters. These parameters will not be visible to the user. They are the handshake part of the SMTP protocol. You will need to look for these in the logs or have other knowledge of them.
<<Mail Envelope>>
This parameter allows for a match on any part of the message envelope which includes the HELO,
Client IP, and Client Host.
WatchGuard XCS
Content Control
User Guide
HELO
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: mail.example.com.
Client IP
This field will be accurately reported and may be reliably used for both blocking and trusting. It is the IP address of the system initiating the SMTP connection. For example: 192.168.1.200.
Client Host
This field will be accurately reported and may be reliably used for both blocking and trusting.
For example: mail.example.com.
The following envelope parameters (Envelope Addr, Envelope To, and Envelope From) may be visible if your client supports reading the message source. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client.
Envelope Addr
This finds matches in either the Envelope To or Envelope From field. These fields are easily faked, and are not recommended for use in spam control. They may be useful in trusting a source of mail. For example: [email protected].
Envelope To
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: [email protected].
Envelope From
This field is easily faked, and is not recommended for use in spam control. It may be useful in trusting a source of mail. For example: [email protected].
Message Header Parameters
Spammers will typically enter false information into these fields, except for the Subject field, and they are usually not useful in controlling spam. These fields may be useful in trusting certain users or legitimate source of email.
Mail Header parameters will only match on the primary header of a message and not other multipart message headers.
<<Mail Header>>
This parameter allows for a match in any part of the message header.
<<Recipient>>
This parameter finds matches in the To: or CC: fields of the message.
CC:
This parameter finds matches in the CC: (Carbon Copy) field of the message.
From:
This parameter finds matches in the From: field of the message.
Message-ID:
This parameter finds matches in the Message-ID: field of the message.
Received:
This parameter finds matches in the Received: field of the message.
Reply-to:
This parameter finds matches in the Reply-to: field of the message.
Sender:
This parameter finds matches in the Sender: field of the message.
141
Content Control
Subject:
This parameter finds matches in the Subject: field of the message.
To:
This parameter finds matches in the To: field of the message.
There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions to specify these parameters.
Message Body Parameters
<<Raw Mail Body>>
This parameter finds matches in any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content. This parameter will also match in multi-part message parts.
<<Mail Content>>
This parameter finds matches in the visible decoded message body.
STA (Token Analysis) Token
Token Analysis tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible
HTML text comments, which would not be caught by a normal pattern filter. For example, Token
Analysis extracts the token “viagra” from the text “vi<spam>ag<spam>ra” and “v.i.a.g.r.a.”.
Content Scanning
Pattern based message filters can be defined to match the content of an entire mail message, including attachments. This type of Pattern Filter is used with the Content Scanning feature.
9. Select the Match Option .
Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.
Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)
Matches — The entire line or field must match the text.
Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)
Reg Exp — Enter a regular expression to match the text.
10. Enter a text Pattern (case insensitive) to search for in the message.
You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions.
For example, to search for a blank message field, use the following regular expression:
^subject:[[:blank:]]*$
Although the Regular Expression feature is supported, WatchGuard cannot help with devising or debugging Regular Expressions because the expressions have an infinite variety and can be very complex. Using Regular Expressions is not recommended unless you have advanced knowledge of their use.
142 WatchGuard XCS
User Guide
Content Control
11. Select a Priority for the filter ( High , Medium , Low ).
The entire message is read before making the decision about which filter to use. If a message matches multiple filters, the filter with the highest priority will be used. If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest
( Bypass , Reject , Discard , Quarantine , Certainly Spam , PostX Encrypt , Archive , Redirect , Trust ,
Relay , Accept , Just log ).
Discard, Quarantine, and Redirect are actions available when creating a custom Pattern Filter action in the Pattern Filter preferences screen.
If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used.
12. Select an Action to perform when a rule has been triggered:
Bypass — Allow this message to bypass all Intercept Anti-Spam and Content Control (Attachment
Control, Content Scanning, Malformed Message, and OCF) processing. This action will override other Pattern Filter actions for the same priority. This action does not bypass Anti-Virus scanning.
Trust — This mail is considered trusted and from a legitimate source. This message will not be processed for spam. Mail will be trained as legitimate mail.
Reject — Mail is received, then rejected before the close of an SMTP session. Message is trained for spam if Train is also selected.
Relay — Message can be relayed externally. Message will be trained as legitimate mail or spam as determined by Intercept Anti-Spam if Train is also selected.
Accept — Mail is accepted and will be delivered regardless if the message is considered spam.
Message is trained as legitimate mail if Train is also selected.
Certainly Spam — Mail is received, trained as spam, and then the Intercept action for Certainly
Spam is applied.
Just Log — Take no action, but log the occurrence. Just Log can be used to override other lower priority Pattern Filters to test the effect of Pattern Filters without an action taking place.
PostX Encrypt — Message is encrypted using the Encryption Option if enabled.
BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC email address set up in the Preferences section.
Do Not Train — Do not use the message for Token Analysis training purposes.
Configurable Actions — There are several configurable actions that can be defined by the administrator by clicking the Preferences button. When defined, these actions will appear in this list.
Encrypt — Redirects the message to an encryption server.
Decrypt — Redirects the message to a decryption server.
Archive (High, Medium, Low) — Redirects the message to an archiving server.
The Relay or Trust action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction.
143
advertisement
Related manuals
advertisement