Content filtering after quarantine

Similar Messages

• Message/Content filters & SLBL

  Hi There,
  I couldn't find an answer to this question in the Knowledge base, so hopefully someone here can help me out.
  Is there a way to get a message filter or content filter to know what the recipient user has done to a message in their Safelist/Block list?
  Here is the message filter I have currently:
  QuarantineSuspectSBRSEmails: if (reputation > -3.0) AND (reputation <= -1.0) {
  insert-header("X-IronPort-Quarantine", "Quarantine");
  I'm planning to move this message filter into content filters as I just realized I'm adding unneeded load by processing the message BEFORE checking it for spam, and where I would only need this filter to be checked on the inbound only.
  But still, I cannot seem to find a way to make content filters check the end users SLBL list to take action on the message. Does anyone have a suggestion on what I can do?

  The safelist/blacklist(SLBL) is applied after message filters and before the anti-spam scanning by a per-recipient policy. If a sender address is part of an end users safelist, anti-spam scanning is skipped, and if the sender
  address is listed in the blocklist, the message may be quarantined or dropped depending on administrator settings.
  So, when the message comes in, the recipient has either seen this sender or has never seen this sender before. If they've never seen this sender, then it proceeds like normal.
  If the recipient has seen it before and has decided to mark it a certain way, the recipient either categorizes it in their Safelist (i.e. whitelist) or categorizes it in their Blocklist(i.e blacklist by dropping or quarantining).
  Can you give an example of what the content filter would do if it received once of these types of messages? Are you trying to use a combination of the inbound content filter and the users safelist/blacklist to predict what the end user would do with connections coming in with a SBRS score between -3 and -1?
  Hi There,
  I couldn't find an answer to this question in the Knowledge base, so hopefully someone here can help me out.
  Is there a way to get a message filter or content filter to know what the recipient user has done to a message in their Safelist/Block list?
  Here is the message filter I have currently:
  QuarantineSuspectSBRSEmails: if (reputation > -3.0) AND (reputation <= -1.0) {
  insert-header("X-IronPort-Quarantine", "Quarantine");
  I'm planning to move this message filter into content filters as I just realized I'm adding unneeded load by processing the message BEFORE checking it for spam, and where I would only need this filter to be checked on the inbound only.
  But still, I cannot seem to find a way to make content filters check the end users SLBL list to take action on the message. Does anyone have a suggestion on what I can do?

• Help with content Filtering

  Hi all,
  I have setup some content filters on our C300 appliance.
  One of the filters checks for attachments of type media and puts the email into a quarantine area.
  Another filter checks for attchments of type image and sends a notification to the recipient that they have a restricted attachment and attaches the original email to the notification.
  The problem I have come across is if the email has both a media and image attachment, the email is classed as restricted and sent to the user as an attachment of notification.
  We do not want our users to be able to recieve attachments of type media regardless of what other attachments are in the email.
  Has anyone come across this before and do you know of a way to get this to work correctly?
  Thanks,
  David

  I would assume that the Deliver action on the Media filter would deliver the email to the end user? This is not what I want to happen.
  would it be better to have it Drop the email after it has quarantined it? It would then go into the quarantine area and drop the message?
  No, you do actually want "deliver".
  When you quarantine something, in effect what happens is that it's marked for delivery to the quarantine rather than the real destination for that message - but not actually sent there at that stage.
  When the message gets to the end of the processing, it's then delivered - and will make it's way to the quarantine rather than your mail server.
  So by putting a "deliver" directly after the "quarantine" you'll actually deliver it immediately to the quarantine. If you were to use a "drop" then it would be marked for delivery to the quarantine, and then dropped, so it would never make it there.

• Content filters based on Group Best Practice

  What is best practice for Content filters based on Group.
  What we wanna accomplish.
  We have few groups but i'll make an example on two.
  We have one group that have allowed "Media" and another group that have allowed "Exe".
  What is best practice if one user is in both group.
  How would you do Content filtering?
  I dont see in Content filtering condition
  if (Envelope Recipient does not mach group) then Block.
  Is the best way to create first?
  If (attachment.type="Media") then (insert header="sometext);
  and after in Content filter below
  if (Envelope Recipient) and (Header does not contain "sometext") then Block.

  Hi,
  I understand that I will have to use BPM. What is the best way?

• Time pattern to allow user breakthrough URLFilter over IOS content filtering

  hi
  i have a client did request me to create such thing for them over IOS content filtering + Trend Micro based subscrition (till this level i'm pretty not sure it is feasible or what)
  scenario would be:
  like group 1 of users are the martketing subnet, then setting the time from 0800 hour to 1700 hour are prohibited to access any of the block blackilist site (either from local and/or trend micro reputation / category blacklist URL)
  is there any way round i can enable the router to recognize the time then let user to gain access after 1700 hour?
  Can TCL do this? any other way round for this
  thank you
  Noel

  Hi Carlos,
  I am having the same problem.  I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2.  Maybe they forgot it :-)
  I guess I will open a TAC case as I do not want to downgrade...
  I will keep you posted if I find the answer.
  Regards,
  Troy

• IOS web content filtering cannot get trend micro filter

  hi, i just wondering how really i can get my router's content filtering connect to trps.trendmicro.com server again. previously it was success to get connect to the server, after i doing some changes on my zone-pair firewall then it cannot connect to the trend micro server anymore.
  sh ip trm subscription status showing that i successfully connected and registerd
  all the installation guide is doing accordingly,then i turn on my debug crypto pli validation and debug ip trm detail, all showing success connection to trendmicro site.
  parameter-map type trend-global <param> are pointing to the trps.trendmicro.com, my class-map and policy-map didn't have any changes since last success connection.
  zone-pair setting also attach with the right policy-map that serve for service-policy urlfilter <name>
  overall, after my zone-pair firewall is UP again, then my web content filtering is gone, while registeration is made..
  anyone have any idea what really happen?
  thanks
  Noel

  Hi Yongkhang,
  I think in order to figure out what is happening, we need to troubleshoot and see the config, data and other show commands.  I'm not sure if you would feel comfortable posting that here.  Therefore, i think its best to open up a case with tac on it so that it can be troubleshot to see why you cant access the trend micro server.
  can you let me know what you mean by when you turn on your ZBF, your web content filtering is gone.  Are you saying, when you turn on zbf, the web content filtering is no longer blocking or allowing sites?
  have you ran the following debugs?
  debug ip urlfilter detail
  debug ip urlfilter event
  debug ip url filter function-trace
  also, what does this show:
  show policy-map type inspect zone-pair urlfilter
  Are you sure you have the class maps in the proper order since its processed sequentially..
  regards,
  scott

• IOS content filtering on trend micro subscription

  hi
  i just finish setup the IOS content filtering on C1841. basically it's combo of local filtering and Trend micro subscrition based. all the parameter-map, class-map, policy-map and zone firewall setting is up and ready to go.
  Some question to ask
  1. how do i examine trend micro content filtering on it REPUTATION and CATEGORIES is really working?
  as usual, after setup these command :
  paramater-map type trend-global MY-GLOBAL-PARAM
  server trps.trendmicro.com
  pamater-map type urlfpolicy trend MY-PARAM   
  allow-mode on
  block-pass message "bla-bla-bla"
  class-map type urlfilter trend match-any trend-block-categories
  match url catergory Adult-Mature-Content
  class-map type urlfilter trend match-any trend-block-reputation
  match url reputation ADWARE
  policy-map type inspect urlfilter MY-ACTION
    parameter type urlfpolicy trend MY-PARAM
    class type urlfilter trend trend-block-categories
    reset
    class type urlfilter trendtrend-block-reputation
    reset
  so for my zone firewall policy:
  policy-map type inspect out->in
  class type inspect trafic
  inspect
  service-policy urlfilter MY-ACTION
  then i do apply zone-pair to the outside and inside interface,everything set to go.
  so far what i can block is only using URL-blacklist to block the whole domain. anyway how can totally left to trend micro subscription license to do with it all?
  noel

  Hmm... no thoughts over the weekend. Anyone?

• RV220W - Content Filtering and Tivo

  After using an RV220W in the Office fdr some time I decided to upgrade my old WRVS4400N V1 with one - in line with Cisco recommendations. I am using the latest firmware 1.0.4.17.
  One problem I have is that a Tivo device will not connect to its contect servers in the outside world when any Content Filtering is active. I have tried setting up a firewall rule to give complete outbound access for the device for all services but that did not help. The only thing that allows the Tivo to connect properly is to either turn off Content filtering completely  - in which case some of the router protection is lost, or to select some other port in the HTTP port selection box (I tried port 79) - in which case content protection functionality on port 80 is also lost. I have also tried turning off (deselecting) all the other content filtering options but the device can still cannot connect if Content Filtering is enabled.
  It seems to me that setting a firewall rule to allow ALL outbound from the device should be enough to allow connection. What is Content Filtering doing that prevents this device from connecting? And why can't I override it with the firewall rules? This seems to be the same as an old thread many releases of firmware ago:   RV220W - Connecting to TiVo mothership w/ ProtectLink
  Why is this the only router that seems to have this problem? Will it cause other issues?
  If this is because of some internal behaviour of the ruleset then Content Filtering needs to be able to be excluded for a "trusted" internal IP address.
  thanks,
  David Wyatt

  Hello,
  I've opened case # 621056469. The support engineer told me that he'll try to reproduce the problem on his side, and contact me back for remote testing on my own router. If the issue is already known, does it have some kind of ref number so that I can inform him ? Is a fix already planned for  a future firmware release ?
  Thanks for your help.

• Is there a list of what 4G devices support content filtering

  Long story short, I am due for a device upgrade in a few months. I have been happy with Verizon's coverage, but have been using a 3G phone for the past few months because I need the content filtering on it.  Such content filtering does not appear to be available on the Razr M that I was using.  From what I've been able to find out, content filtering is only available on 4G on certain phones.  I'm ok with that.  I can't seem to find a list of what models content filtering is available on and what models it isn't. 
  Content filtering is a service I absolutely need.  I've been happy with Verizon's coverage and service, but I can't keep using a 3G phone forever and would like to move to 4G for obvious reasons so I need to find a phone that will work with content filtering on Verizon which is why I'm looking for a list of models that support content filtering.  If I can't find a 4G model that supports content filtering I may have to switch providers.  I really hate to do this for obvious reasons, but this is a service that is vital to me. 

  It would seem this web site will answer your question.
  https://m-support.verizonwireless.com/support/terms/products/content_filtering.html
  It makes note of Blackberry devices not compatable see note:
  The service does not work on most Push To Talk devices, any device with a static Internet Protocol address or on search results provided through the Get It Now Search application. The Internet filtering capabilities of the service do not work on phones using WiFi, Mobile Web 1.0, BlackBerry devices or on devices that use Venturi Compression Software, including phones tethered to PCs or PC cards, unless the compression software is turned off. Internet filtering will not work on most advanced devices until you have turned the device off and back on after every Content Filter setting change. The music filtering capabilities of the service do not work on phones with Verizon Music v1.0 software. Call 800-922-0204 or 611 from your handset if you are on a corporate calling plan to determine eligibility to use the service and to activate the service.
  Good Luck

• ByPass Content Filtering

  We have several content filters setup on an incoming policy. Profanity, Image Sanning and account numbers.
  We get a lot of news letters that are quarantined by these filters (mainly profanity).
  I am compiling a list of sender addresses in a dictionary. How can I set this list of senders to bypass the content filtering?

  Correct, if the message doesn't meet the IF condition, then the ACTION will not be applied and the message will continue evaluating the other content filters. It's a top-down design, so order of precedence is very important. The deliver() action, like the drop() action are final actions and allows you to stop processing further content filters.
  Congrats on the new appliance. I'm sure your employees will see a noticable decrease in spam they normally get.
  By the way, the online support portal has additional resources that you can benefit from. The Support portal knowledge base and the Email documentation section that goes over the Advanced stuff like LDAP. (joy joy)

• High Amount of Spam on Exchange 2013 - Content Filtering is Enabled but Pfizer Spam Filling Up Everyone's Mailboxes

  Hello
  Previously I used Exchange 2010 with Forefront Threat Protection installed and this used to do a good job of stopping all the spam.
  However since updating to Exchange 2013 earlier this year and enabling the integrated spam filtering everyone noticed a sudden increase in the amount of spam which was getting through which has been bad for a long time.
  We have been living with it but in the last 3 weeks everyone has started getting about 40 emails a day from Pfizer for Viagra. All these seem to defeat the content filtering as Viagra is spelt with an extra I and the email address is always different.
  Also images in emails are blocked by default but somehow all the images on these spam messages appear for everyone.
  I am not sure the spam filtering is working at all and I'm not sure how to tell as ForeFront gives you a nice graphical dashboard but I can find nothing similar to this in Exchange and PowerShell seems the only way to configure the limited functionality
  of the content filter.
  Is there any way to get rid of these messages as it doesn't look very good when they are constantly popping up for everyone?
  Thanks
  Robin
  Robin Wilson

  Hello ManU
  Thanks for the reply.
  I have checked the logs and see this quite often:
  AcceptMessage,,SCL,not available: policy is disabled
  But other times it says this:
  RejectMessage,550 5.7.1 Message rejected as spam by Content Filtering
  Which seems to indicate it is rejecting some.
  This is what one of the email headers look like:
  Received: from RWS-MAIL.rwsservices.net (192.168.2.151) by
  RWS-MAIL.rwsservices.net (192.168.2.151) with Microsoft SMTP Server (TLS) id
  15.0.775.38 via Mailbox Transport; Sat, 28 Dec 2013 10:59:26 +0000
  Received: from RWS-MAIL.rwsservices.net (192.168.2.151) by
  rws-mail.rwsservices.net (192.168.2.151) with Microsoft SMTP Server (TLS) id
  15.0.775.38; Sat, 28 Dec 2013 10:58:38 +0000
  Received: from [90.169.106.204] (90.169.106.204) by mail.rwsservices.net
  (192.168.2.151) with Microsoft SMTP Server id 15.0.775.38 via Frontend
  Transport; Sat, 28 Dec 2013 10:58:37 +0000
  Date: Sat, 28 Dec 2013 12:05:58 +0200
  From: US.Pfizer eStore <[email protected]>
  To: robin.wilson <[email protected]>
  Message-ID: <[email protected]>
  Subject: Dear robin.wilson up to 65% OFF!
  X-Mailer: Airmail (223)
  MIME-Version: 1.0
  Content-Type: multipart/mixed; boundary="dd2ee3ea_586bb9e4_6f04"
  Return-Path: [email protected]
  X-MS-Exchange-Organization-PRD: 001-taxis.co.uk
  X-MS-Exchange-Organization-SenderIdResult: Neutral
  Received-SPF: Neutral (rws-mail.rwsservices.net: 90.169.106.204 is neither
  permitted nor denied by domain of [email protected])
  X-MS-Exchange-Organization-Network-Message-Id: e8825204-1f32-48be-a331-08d0d1d30209
  X-MS-Exchange-Organization-SCL: 1
  X-MS-Exchange-Organization-PCL: 2
  X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13223.464;SID:SenderIDStatus Neutral;OrigIP:90.169.106.204
  X-EXCLAIMER-MD-CONFIG: 079171ba-394f-46d5-a160-56e416712e8e
  X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
  X-MS-Exchange-Organization-AuthSource: rws-mail.rwsservices.net
  X-MS-Exchange-Organization-AuthAs: Anonymous
  The emails use a different sender email address every time and there is always a poem in very light grey writing in the body of the email. The drugs are always misspelt as well. Is this why these are getting through?
  Thanks
  Robin
  Robin Wilson

• Exchange 2013 SP1 EDGE role content filtering ?

  Hello,
  Have Exchange 2013 SP1 with CU5 with antispam enabled on mailbox role server. And i wonder if i deploy 2013  Edge role, will i get more granular content filter control, like there is in Office 365? For example: i want to treat empty messages as not
  spam.
  I have read that control of Edge server is done ONLY by powershell. So if edge role is deployed, still there is no content filter control in ECP (like in office365) ??

  Hi,
  The Content Filter agent assigns a spam confidence level (SCL) rating to each message. The SCL rating is a number between 0 and 9. A higher SCL rating indicates that a message is more likely to be spam.
  Based on my knowledge, I'm afraid we can't filter the empty messages and treat them as not spam.
  Here is an article about content filtering in Exchange 2013 for your reference.
  Content Filtering
  http://technet.microsoft.com/en-us/library/bb124739(v=exchg.150).aspx
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Belinda Ma
  TechNet Community Support

• Conditions based on "EnvelopSender" in Content Filters

  When defining Content Filters, I need to define conditions based on the sender of an email. For example, if the sender is Jim or John, and Subject Line contains a tag [CONFIDENTIAL], the action should be to encrypt the mesasge.
  I realize this could easily be done using LDAP groups. But my problem is that for a number of opertaional reasons I cannot connect our IronPort to our corp LDAP. 
  An alternative is to directly code the user names in the condition statement. This is ugly and problematic for admins and possibly causes other problems as the number of users grows. Could anyone suggest an alternative?
  Is there any option of having the Condition statement open a file and read the "sender" names from the file maintained somewhere on the local or a remote disk? Any other option?
  Thanks.

  I would suggest looking at creating a dictionary that would list the addresses of the individuals. You can use that dictionary from which to base your planned action.  Using LDAP is by far the better option for keeping a list up to date, as the dictionary will need to be updated regularly as addresses change, added or removed.

• Using Content filters (HTML Filter)

  Hello.
  I'm having problem displaying an html-page in the portal with an url-iview. The problem is that the portal is accessed using HTTPS, and the url-iview links to a html-page using http.
  This will generate a popup in internet explorer about unsecure content.
  I thought that a way to solve this could be to connect KM to the page and then let the url-iview show the html-page throw the KM Repository.
  This works fine, however there is still one problem.
  Inside the HTML page, there is <IMG src> tags that reffers to the http site.
  How can I configure HTML filters to rewrite all image and stylesheet references via KM instead of to the http-site?
  I've tried to understand the documentation on Content Filters (http://help.sap.com/saphelp_nw04/helpdata/en/55/921d7bb0c611d5993800508b6b8b11/content.htm), but I don't know what to write in "Base Tag" property, or ir this even works.
  Does anyone know if there is an example about this? Or perhaps know how to configure this?
  Regards, Mikael

  This can be done, but it might not be a optimal solution. You would basically parse each HTML file and replace the links before streaming the content. You can create your own version of com.sap.km.cm.docs component which streams the content of a HTML file by replacing the links. And you would use your own component for creating the KM doc iviews that way you will have altered HTML links.

• How can I add the audio content cd after logic finished installing ?

  There was an eror installing the Audio Content CD 1 and I did not notice. Everything else installed properly, Audio Content CD 2, Jam Pack, but how can I add the Audio Content CD1 after Logic has finished installing?
  If you can help me please be very specific as to how to do it so that I can follow the directions properly.
  Please help me.
  Thanks

  Hi
  You could re-run the installer, or, once you have updated to Logic 9.1.8 you could use the "Download Additional Content" function in the Logic Pro menu. It will tell you what is installed and what is incomplete.
  CCT