Filters: Expanded Overview

Situation – You wish to create a custom filter.

Solution – Expanded Detailed Overview of the Filter Creation Process. This Includes all Conditions and Rules.

You can approve or block specific senders and recipients, based on the email address, domain, subdomain, attachment type, email size, words in the email or header, source country or destination country. The Anti-Spam service detects spam by applying hundreds of rules to each message that passes through. It blocks obvious spam outright and diverts what is possibly spam to the Quarantine. If you discover that some quarantined messages are actually good mail that just looks like spam, add the senders of those messages to an appropriate approved-senders list. If a number of quarantined senders are from the same domain, such as the same company, add the domain to an appropriate approved senders list. Messages from those senders are then delivered to users in your organization, regardless of the spam-like content. To avoid the risk of increasing spam traffic, approve only specific senders whose messages might look like spam, rather than approving all of your known senders. Also, avoid approving too many domains, as that can increase the risk of spoofing.

There are 3 steps to creating an email filter:

Step 1: Start Creation

  • Click a New Filter, name it, and choose if it is an inbound or outbound filter.

Step 2: Scope (Applies Only If You Are Not An End-User)

  • The scope is who this rule applies for. There can be various selections
    • Entire organization
    • Single user
    • Groups

Step 3: Select IF Conditions

  • Sender Address – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Recipient Address – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Email Size (KB) – A specified size of an email including the attachment to an exact whole number.
  • Client IP Country – Country list; input a country (? – we need the library file or source here)
  • Email Subject – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Email Headers – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Email Message Content – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Raw Email (Up To 10000 Lines) – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Attachment Type – choose from pre-defined types (see the list of files)
  • Attachment Name – create a rule-based upon a file name/type that is not part of the pre-defined type.
  • Smart Identifier Scan – See linked KB for this DLP product
  • Dictionary Scan – See linked KB for this DLP product

Step 4: Rule Narrative

  • See below for the full list of narratives to choose from.

Step 5: Add Another Condition (For IF)

  • Repeat steps 3 and 4 for adding more than 1 condition

Step 5: Select Do Condition

  • Quarantine – put in the quarantine (see below for exception)
  • Allow – does not scan message
  • Nothing – scan message as normal; and can add additional actions below
    Override the Previous Destination – If selected, this option will ignore the destination that another filter may have applied to this message.

Step 6: Add Another Condition (For DO)

  • Alert Tech Contact – an email alert would be relayed to the Tech contact address
  • Alert Specified Users – Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols
  • Hide log – Will hide the email from logs/digest from ALL users (except for Spambrella Support)
  • Hide log from Non-admin Users – Will hide the email from logs/digest from all end-users
  • Stop processing additional filters – Will stop processing any additional filters
  • Require admin privileges to release – Requires an administrator to release the email
  • Enforce completely secure SMTP delivery – Requires a certificate for TLS delivery (Certificate cannot be self-signed or contain errors, and must match the domain exactly on the certificate, excluding a wild card certificate)
  • Enforce only TLS on SMTP delivery – Does not require a certificate

Override Previous Destination – If selected, this option will ignore the destination that another filter may have applied to this message.This override means we can stop another rule’s DO action from performing.

Rule Narrative

Upon selecting a condition, the rule narrative will populate based upon the condition.

RULE

  • Sender Address – Choose the condition you want to match the sender address to, then enter the string of characters.
    • IS
    • IS NOT
  • Recipient Address – Choose the condition you want to match the recipient address to match against, then enter the string of character.
    • IS
    • IS NOT
  • Email Size (KB) – The size of the message is either greater or less than a specified whole number.
    • IS GREATER THAN
    • IS LESSER THAN
  • Client IP Country – The conditions will compare against the listed country inputted.
    • IS
    • IS NOT
  • Email Subject – Choose the condition you want the subject to match against, then enter the string. (This is an EXACT match only.)
    • IS
    • IS NOT
  • Email Headers – Choose the condition you want the header to compare with, then enter the string.
    • CONTAIN(S) ALL OF
    • CONTAIN(S) ANY OF
    • CONTAIN(S) NONE OF
  • Email Message Content – Choose the condition you want the message body to compare with, then enter the string.
    • CONTAIN(S) ALL OF
    • CONTAIN(S) ANY OF
    • CONTAIN(S) NONE OF
  • Raw Email (Up To 10000 Lines) – Choose the condition you want the message body to compare with, then enter the string.
    • CONTAIN(S) ALL OF
    • CONTAIN(S) ANY OF
    • CONTAIN(S) NONE OF
  • Attachment Type – Choose what attachment condition you want
    • IS
    • IS NOT
    • Manage (Attachment types)
      • Windows executable components, installers and other vulnerabilities
        • MS executable – *.exe
        • MS binary libraries – *.dll
        • MS executable scrpits – *.bat
        • Visual Basic files – *.vb
        • Other vulnerable MS files – *.ms_vul
        • MS/Installshield Cabinet files – *.cab
      • Other executable components and installers
        • Other executables – *.unix_exe
        • UNIX-like libraries – *.unix_dll
        • Java binaries – *.java
        • OS X DMG files – *.dmg
        • OS X install scripts – *.mpkg
        • Debian/RedHat packages – *.debrpm
      • Office documents and archives
        • MS Office, pre-2007 – *.ms_of
        • XML, Zip, and newer Office documents – *.zipxml
        • MS Access – *.ms_ac
        • Other *Office files – *.doc_other
        • Rich Text Format files – *.rtf
        • Tape archives – *.ar_tape
        • Compressed files – *.ar_file
        • Other compressed archives – *.ar_other
        • PDF files – *.pdf
        • PostScript – *.ps
        • TeX DVI files – *.dvi
        • LaTeX documents – *.lat
      • Audio/Visual
        • Macromedia Flash data – *.flash
        • Images – *.images
        • Vector graphics – *.vgfx
        • Windows Metafiles – *.wmf
        • Cursors and icons – *.ani
        • Multimedia/video containers – *.mmedia
        • MPEG audio/video – *.mpeg
        • RealNetworks audio/video – *.real
        • Windows Media audio – *.wma
        • FLAC audio – *.flac
        • AIFF audio – *.aiff
        • WAVE audio – *.wav
        • MIDI audio – *.midi
        • Any ‘audio/’ MIME type – *m_au
        • Any ‘image/’ MIME type – *.m_im
        • Any ‘video/’ MIME type – *.m_vi
      • Other
        • PGP encrypted data – *.pgp
        • Undecipherable attachments – *.undeciph
  • Attachment Name – Choose the condition then enter the string of what you want to proceed with
    • IS
    • IS NOT
  • Smart Identifier Scan – See linked KB for this DLP product
  • Dictionary Scan – See linked KB for this DLP product

Further reading:

About Filters

Creating a Filter

Filter Email from a Specific Country of Origin