Help w/ Content Filter

Similar Messages

• Restricting email recipient domain with content filter

  Gents,
  I am looking to restrict email receipient domain to two with the help of content filter instead of using RAT table.
  Please help me out.

  I understand that you want mail to be rejected for all but 2 Recipient users/domains.  You also want to declare the users/domains via a Filter instead of in the RAT.  This is not recommended, here is why:
  - If you set the RAT to  'All Other Recipients' to 'Accept', other hosts may believe the ESA is an 'Open Relay' and may refuse mail from its IP.
  - Bouncing mail after acceptance can cause 'backscatter' emails.  This is where a mail server redistributes spam via bounces and it will cause some hosts to reject your mail.
  - If done incorrectly, can cause valid mail to bounce.
  - If done incorrectly, can make your ESA an Open Relay that can be abused by others.
  If you still wish to proceed knowing that the above risks, here are the high-level steps:
  1) Set 'All Other Recipients' to 'Accept' in RAT
  2) Create a new Incoming Mail Policy
   - Add the valid users and/or domains to this new Policy
  3) Create new Incoming Content Filter:
   - Rule: leave empty
   - Action: Bounce
  4) Disable all scanning on Default Incoming Mail Policy
  5) Apply the new Filter to the Default Incoming Mail Policy
  6) Verify that the new Incoming Mail Policy has appropriate scanning enabled
  This method works by accepting all mail sent to the ESA, even if it is for a domain you do not control or for an invalid recipient for a domain you do control.  When the messages reach the Incoming Mail Policies, valid recipients will match on the new Policy while every other address matches the Default Incoming Mail Policy.  Using the Policies in this way is required so that the message is 'splintered' before processing through most scanning features.  Now only users/domain that do not match your new Policy will be Bounced by the Content Filter.
  Again, I wish to stress that I do _not_ recommend this approach: it is far safer to simply list the valid users or domains directly in the RAT.
  - Jackie

• I need to find a family-friendly content filter for an old imac, please help!

  Hi, I really really need to find some kind of parental controls/adult content filter software that will block adult websites on an iMac 1.3.9. I have tried google but the only results that come up are not compatible with such an old computer. (of course, all of the newer computers have parental controls built into the system so they don't even need the software anyway, very frustrating) If you have any ideas or know of a specific software I can look for, please, please tell me, I would be so grateful. Thank you!

  all of the newer computers have parental controls
  So do the older ones.  Which OS are you using?  Read the Help Menu and/or search Knowledge Base on "how to set up parental controls."

• Can I set up a Content Filter that is Time/Date stamp dependent?

  My company would like to add an additional disclaimer text during Holidays where the company is closed.  It will say something like: "In observance of the 'XYZ' holiday, our offices will be closing at 3:00 PM on Friday, December........ and will reopen at 8:30 AM Monday.......".
  I was wondering if there is a way to set up conditions in an Outgoing content filter to only include that text if the email is sent between certain dates.
  This would allow me to set up the filters prior to the holidays and not have to manage them manually.
  I tried to do it via Exchange Transport rule, but I can't find a time/date dependent condition for the rules in Exchange.
  Thanks,
  Rachel    

  Hi Rachel,
  there is no way to archive this directly in content filters, an indirect way would be to use a message filter that adds an additional header (i.e. X-mas: true) during a specific period. For that, message filters provide the 'date' rule, i.e
  HolidayHeader:
  if ((date > '12/20/2012 13:00:00') and
       (date < '12/28/2012 12:00:00'))
  insert-header('X-mas', 'TRUE');
  You'd then create an outbound content filter matching on this header and inserting the specific footer if the header exists. Or, of course, you could have that action in the message filter already, however in that case you need additional conditions to make sure the rule applies on outbound messages only.
  Hope that helps,
  Andreas

• Content Filter - attachment stripping logic not working like I think it should

  Hello,
  I am working on a content filter for stripping file attachments - my logic is this:
  Condition: If File Type does NOT EQUAL file type Documents: attachment-filetype != "Document"
  Action: Strip File Attachment by File Info: drop-attachments-by-size(0 bytes) 
  My thought is that files that are not word docs, "test.ZIP" for example, would match the condition of not being a document. The match specifies that the action should then be performed on it - strip the attachment if it is over 0 bytes, which would be a match to any file. 
  Right now, it strip anythings, documents included...its like the condition does not exist. I considered using Message Filters at first, but I need to provide a replacement message with each attachment I strip. Thanks in advance for your help! 

  Hey Daniel
  Your understanding is correct to a point.
  The condition you set is correct, it will look for emails where attachments are NOT document files according to their mime structure.
  Once this condition is met (IE: test.zip)
  it will fall to the action
  Your action however is set to drop all attachments greater than 0 bytes.
  So for a setup like this I would suggest.
  First content filter:
  Attachment filetype is equal to "document"
  Action for this content filter :  skip remaining content filters
  Second content filter:
  (Either no condition or Attachment filetype is NOT "document")
  Action -> Strip if size greater than 0
  The reason why all attachment filetypes are being stripped and even document is the condition simply states what needs to be seen to trigger this action
  But this action is not set to exempt document files but to strip them all

• Attachment Content Filter not working

  I am trying to use the Attachement Content Filter to prevent the distribution of a sensitive document outside of our orginization. I have a filter that matches on the filename that works fine. However when I try to filter based on attachment contents it seems to not be working. I have selected a text string somewhat unique to the document that I would like to match on. The attached document is a PDF file. Is the attachment content scanner looking for a regexp match in the MIME encoded attachment maybe?
  Any help would be appreciated!

  Greetings,
  For this issue it would be advisable to open a support ticket. There are a couple of different issues that can cause this.  We would need to review the mail logs for the message in question to understand the issue.
  Christopher C Smith
  CSE
  Cisco IronPort Customer Support 

• Content filter not fixed, still stripping message body

  The content filter that arbitrarily strips out (part of) the body of my
  email messages is not fixed: http://forums.adobe.com/message/1867251#1867251
  Jochem
  Jochem van Dieten
  http://jochem.vandieten.net/

  I think I found out why the message body of my messages is stripped out. It appears Jive is filtering the content of email messages with the following regular expression:
  * Simple bean for storing the contents of an incoming email.
  public class Message {
      // ripped from EmailParserImpl
      private static final Pattern originalMessagePattern = Pattern.compile("(-{5,}|_{5,}|^.*wrote:$)(\\s*.*)*", Pattern.MULTILINE);
  My first impression is that this implementation is somewhet simplistic. For instance, it doesn't take into account whether you just quoted a single line or all of the message. For a great example of that, look at the House of Fusion email archives, where you can see selectiive quotes are allowed, but complete quotes of full messages are filtered out. It also doesn't do pattern matching on the standardized string that starts a signature.
  More insight into the behaviour of the email integration can be obtained from the sourcecode of the Jive advancedemail plugin. Although I am not sure it is the same version as Adobe is running, there are some comments and TODO's in the code about behaviour I am not seeing in the email from these forums, but it still helps to understand what is happening.

• Confusing about Message filter and Content filter

  I have a message filter do quarantine action:
  badbody: if body-dictionary-match("badbody", 1) {
  quarantine ("Policy");
  deliver();
  also I write a content filter 'good' to see what spams are missed by Ironport Antispam:
  Conditions (only if all conditions match):
  header("X-IronPort-Quarantine") != "^Policy$"
  header("X-Spam-flag") != "^(?i)YES$"
  Action:
  duplicate-quarantine ("good")
  deliver()
  I think these two rules could not occur both, because the filter badbody had sent the spam to quarantine 'Policy',
  there's no possible to dumplicate to qurantine 'good'.
  But it happens:
  Tue Jun 17 18:52:55 2008 Info: New SMTP ICID 26146919 interface InNet (10.68.2.161) address 61.135.132.136 reverse dns host websmtp.sohu.com verified no
  Tue Jun 17 18:52:55 2008 Info: ICID 26146919 ACCEPT SG ICP match .sohu.com SBRS 5.5
  Tue Jun 17 18:52:55 2008 Info: Start MID 10698519 ICID 26146919
  Tue Jun 17 18:52:55 2008 Info: MID 10698519 ICID 26146919 From: <mia_kma3998>
  Tue Jun 17 18:52:55 2008 Info: MID 10698519 ICID 26146919 RID 0 To: <swordhuihui>
  Tue Jun 17 18:52:55 2008 Info: MID 10698519 Message-ID '<10849536>'
  Tue Jun 17 18:52:55 2008 Info: MID 10698519 Subject '=?GB2312?B?1Pa807z7zsU=?='
  Tue Jun 17 18:52:55 2008 Info: MID 10698519 ready 1452582 bytes from <mia_kma3998>
  Tue Jun 17 18:52:56 2008 Info: MID 10698519 matched all recipients for per-recipient policy DEFAULT in the inbound table
  Tue Jun 17 18:52:56 2008 Info: MID 10698519 was too big (1452582/102400) for scanning by CASE
  Tue Jun 17 18:52:56 2008 Info: Start MID 10698528 ICID 0
  Tue Jun 17 18:52:56 2008 Info: MID 10698528 was generated based on MID 10698519 by duplicate-quarantine filter 'good'
  Tue Jun 17 18:52:56 2008 Info: MID 10698528 ICID 0 From: <mia_kma3998>
  Tue Jun 17 18:52:56 2008 Info: MID 10698528 ICID 0 RID 0 To: <swordhuihui>
  Tue Jun 17 18:52:56 2008 Info: MID 10698528 ready 1452584 bytes from <mia_kma3998>
  Tue Jun 17 18:52:56 2008 Info: MID 10698528 quarantined to "good" (duplicated by content filter:good)
  Tue Jun 17 18:52:56 2008 Info: MID 10698519 quarantined to "Policy" (message filter:flg1)
  Tue Jun 17 18:52:59 2008 Info: ICID 26146919 close
  The log shows the quarantine action of message filter take effect after the content filter action. I'm quite confused.
  Any suggestion?

  The original message was marked to go to the "Policy" system quarantine via the message filter. However, that message continues through the email pipeline. If no other action affects that message(i.e. dropped by Sophos anti-virus), then the system will move the message to the "Policy" quarantine as originally marked.
  However, in your case, the message was marked to be sent to the "Policy" system quarantine, and then it matched your content filter and did two things:
  1. spawned a copy of the original message and sent this new one to the "good" system quarantine. (see MID 10698528)
  2. the original copy was left alone and this one was sent to the "Policy" quarantine. If you had a drop() action, then it would have gotten dropped and you would have been left with the single copy from #1 (see MID 10698519)
  What was the intended behavior you were trying to achieve?
  Here are some references that may help:
  1. Where can I see a diagram of the IronPort email pipeline?
  You can find a diagram of the queue sequence if you click on the Help
  link in the top right of the web interface - it takes a while for it to
  load. Find the section "Understanding the Email Pipeline" and then
  under that "Overview: Email Pipeline".

• IronPort Attachment Filtering using Content Filter Dictionaries

  Hello,
  one of our customers experiences some Problems with filtering attachments based on their file extensions.
  What we did: We created a dictionary with extension formats like ".exe" or ".cab"
  Based on this dictionary we created a policy, that all Mails are scanned. If an attachment matching this dictionary is in the mail, this attachment will be striped and replaced by a TXT file.
  In my tests this worked fine, only files matching are replaced, the others pass. BUT after activating the rule, we had the Problem, that a lot of attachments not having an extension that should be filtered where striped. So ".xls" or ".pdf" where striped too.
  Can you help me how to configure it correct? Do we have to change something in the Dictionary? Why is this happening, any explanation?
  Thanks a lot for your help in advance and best regards
  Michael

  Hello,
  We are doing something similar, but we are not using a dictionary. We specify the file extension in a content filter action of strip attachment by file info, file name ends with, and we use this regular expression:
  (?i)\.bat
  (?i) makes it case insensitive, the "\" makes the action search for the special character period (which in regex is a wildcard), and then the file extension. 
  When you save it, it will look a little off, the GUI adds some regex characters to it. the entry will look something like this on the content filter page:
  drop-attachments-by-name("(?i)\\.bat$"
  This expression will drop all instances of file extensions that have .bat, which includes all possible combinations. Examples include .BAT, .bat, .bAT, so on and so forth.
  Hope this helps =) 

• My sons Iphone5 is not eligible for content filter according to the website. Can I do something to make it "eligible"?

  My sons Iphone5 is not eligible for content filter according to the website. Can I do something to make it "eligible"?

      We certainly know how important it is to manage content filtering on wireless devices deckhand. I'm happy to advise that the iPhone has built in restriction options. On the device, simply go to Settings > General > Restrictions. Here you can enable restrictions on certain device function. I hope this helps.
  Thank you…
  ArnettH_VZW
  Follow us on Twitter @VZWSupport

• Content Filter block attachment .scr/.cab etc... not working inside archive

  Hi,
  We have trouble that Content Filter for blocking attachments executable, scr, and cab is not working if .exe, .scr, or.cab are inside 7zip, zip or rar archive.
  How deep inside attachment ESA goes, if any?
  Antivirus config is set to 5 and some viruses passed like CryptoWall as .scr and .cab.
  So, we are blocking that extension but this time they were inside archive.  

  Hello Juraj,
  I apologise for the inconvenience.
  Currently if there are viral definitions within the attachment, the AV engine would be the first line of defence, if you for some reason notice some viral attachments bypassing your ESA, please open a TAC case so we can escalate the sample to Sophos for you to capture.
  As per content filtering.
  The scan depth on how deep it will go into a system is defined in 'scanconfig' in the CLI.
  This will show your current recursion depth.
  As per .cab and .7z attachments not being properly captured if .scr or .exe are inside it
  Currently there are some Enh request to allow the unpacking/decompression of these archive files to capture things inside it, at the moment the request is still undergoing review.
  As a temporary measure you can proactively send .7z and .cab files to the quarantine for your administrative review -- 
  The ESA will however be able to seek the executable should it be shrouded inside the .rar/.gzip and .zip archives however.
  I hope this helps.
  Regards,
  Matthew

• Content filter on Cisco Email Security Virtual Appliance

  Dear friend.
  I have problem with Content Filter when configure Cisco Security Virtual Appliance.
  You can see my rule on attachment picture.
  But when I sent an email with subject : "RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint", it's block by Content Filter "DenySubject"
  I'm sure that in my Dictionary doesn't contains any word from this Subject.
  Capture 3 is captured in Policy Quarantine.
  Please help me to solve it asap.
  Thanks so much.
  Vinh Phan

  It is not an issue with the virtual ESA.  Using my vESA, I get the same results, using your "denysubject.txt" for custom dictionary...
  Tue Jun 10 22:53:37 2014 Info: ICID 96 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
  Tue Jun 10 22:53:37 2014 Info: Start MID 58 ICID 96
  Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 From: <[email protected]>
  Tue Jun 10 22:53:37 2014 Info: MID 58 ICID 96 RID 0 To: <[email protected]>
  Tue Jun 10 22:53:37 2014 Info: MID 58 Message-ID '<[email protected]>'
  Tue Jun 10 22:53:37 2014 Info: MID 58 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
  Tue Jun 10 22:53:37 2014 Info: MID 58 ready 7764 bytes from <[email protected]>
  Tue Jun 10 22:53:37 2014 Info: MID 58 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
  Tue Jun 10 22:53:37 2014 Info: MID 58 quarantined to "Policy" (content filter:DenySubject)
  Tue Jun 10 22:54:36 2014 Info: ICID 96 close
  Reviewing the contents --- one line is the culprit:
  [NuocVIET], 1
  Remove that one entry, and the dictionary works.
  Tue Jun 10 23:34:19 2014 Info: New SMTP ICID 117 interface Management (172.16.6.165) address 172.16.6.1 reverse dns host unknown verified no
  Tue Jun 10 23:34:19 2014 Info: ICID 117 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
  Tue Jun 10 23:34:19 2014 Info: Start MID 91 ICID 117
  Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 From: <[email protected]>
  Tue Jun 10 23:34:19 2014 Info: MID 91 ICID 117 RID 0 To: <[email protected]>
  Tue Jun 10 23:34:19 2014 Info: MID 91 Message-ID '<[email protected]>'
  Tue Jun 10 23:34:19 2014 Info: MID 91 Subject 'RE: Nh? m? case l?i k?t n?i t? KH qua firewall Checkpoint'
  Tue Jun 10 23:34:19 2014 Info: MID 91 ready 4505 bytes from <[email protected]>
  Tue Jun 10 23:34:19 2014 Info: MID 91 matched all recipients for per-recipient policy mygmail_inbound in the inbound table
  Tue Jun 10 23:34:19 2014 Info: MID 91 queued for delivery
  Tue Jun 10 23:34:19 2014 Info: New SMTP DCID 39 interface 172.16.6.165 address 173.37.93.161 port 25
  Tue Jun 10 23:34:19 2014 Info: DCID 39 TLS success protocol TLSv1 cipher RC4-SHA 
  Tue Jun 10 23:34:20 2014 Info: Delivery start DCID 39 MID 91 to RID [0]
  Tue Jun 10 23:34:20 2014 Info: Message done DCID 39 MID 91 to RID [0] 
  Tue Jun 10 23:34:20 2014 Info: MID 91 RID [0] Response '2.0.0 s5B3YLna030140 Message accepted for delivery'
  Tue Jun 10 23:34:20 2014 Info: Message finished MID 91 done
  Tue Jun 10 23:34:25 2014 Info: DCID 39 close
  I hope this helps!
  -Robert
  (*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

• App store icon gone missing/Web Content Filter - Apple Configurator

  I am using Apple Configurator to manage the iPads at my school. I changed the settings on my school's profile, within Apple Configurator, so that the App store was not available. The App store icon disappeared and all was good. I decided to change the settings back, to allow the App store, saved the settings and refreshed a group of iPads. The App store icon is still missing and it doesn't appear that my new settings have been applied. I quit Configurator and tried again, but no success. I am running Configurator 1.5 and the ipads are running iOS 7.1.
  Also, I have unchecked the "Allow use of You Tube" button because I want You Tube disabled, but Configurator still allows the use of You Tube through Safari. Is there any way to disable the use of You Tube without using the ridiculous "Web Content Filter", that when activated, limits adult content (good), which seems to include a lot of valuable educational sites (bad)? To me the only other option available seems to be to tick "Specific Websites Only" and spend the next year typing in all the possible sites that might have educational merit, ergo, my use of the word 'ridiculous'. Is there something I am missing?

  Locate it in the Apps folder and drag it to the dock.

• Need help on content server conversioning formats

  Hi,
  I need a help on content server. My requirement is to convert PDF to HTML how can i achieve that wether by using IBR or by Dynamic converter and explain how to do this ?
  Srinath am fallowing you in the forum hope you can help in this...
  Thanks,
  DSV

  Hi
  Dynamic converter is the component that will be used to do the conversion from any format to HTML . So you will have to install the following to get this working :
  1. UCM Core Update patchset 6907073 which is build 74 (latest to be released)
  2. Dynamic Converter version 8.2.0.862 - This will be available in the above patchset .
  3. ContentAccess specific to your OS . This is from patchset 6899823 .
  After installing the above 3 component , restarting UCM should get the DC up and working . Then you would need to set pdf as a format to be converted to HTML (from configuration for DC admin) and it should start working fine .
  Hope it helps .
  Thanks
  Srinath

• Exchange server 2013 content filter rejecting all incoming messages as spam.

  Hello All,
  Today out of the blue our Exchange server 2013 install started rejecting any inbound message as spam. It first started with only one user not being able to receive any mail because of this anomaly and
  then after 12 or so hours all users were getting their mail rejected.
  I currently had the threshold set to 5 on external messages only. Internal is disabled.
  I have tried setting the threshold to 8 and 9, and rebooted the server after restarting
  all services just to make sure everything reset. Even dished out a IISRESET just in case. Whatever I tried still does not work.
  The install is a stand alone server facing the outside world (no edge server) living
  in a 2 domain controller environment with a share point farm thrown in (ESXI5.5 environment)
  Everything works just fine and dandy if I disable the content filter all together. Not seeing anything in the application logs out of the ordinary. Everything was working great and the same settings I used on this server worked well for a totally different
  server that runs just fine.
  Any ideas?
  fr0stsp1re

  RunspaceId                            : 87157b62-a061-436b-8fb9-dab446be3473
  Name                                  : ContentFilterConfig
  RejectionResponse                     : Message rejected as spam by Content Filtering.
  OutlookEmailPostmarkValidationEnabled : True
  BypassedRecipients                    : {}
  QuarantineMailbox                     :
  SCLRejectThreshold                    : 6
  SCLRejectEnabled                      : False
  SCLDeleteThreshold                    : 9
  SCLDeleteEnabled                      : False
  SCLQuarantineThreshold                : 9
  SCLQuarantineEnabled                  : False
  BypassedSenders                       : {}
  BypassedSenderDomains                 : {}
  Enabled                               : False
  ExternalMailEnabled                   : True
  InternalMailEnabled                   : False
  AdminDisplayName                      :
  ExchangeVersion                       : 0.1 (8.0.535.0)
  DistinguishedName                     : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport Settings,CN=Smith And
                                          Smith,CN=Microsoft
                                          Exchange,CN=Services,CN=Configuration,DC=XXXXXXXXXXX,DC=com
  Identity                              : ContentFilterConfig
  Guid                                  : 8f86e0b6-da37-42d3-b7cd-b9635b7db271
  ObjectCategory                        : XXXXXXXXXXXXXXXXXXX/Configuration/Schema/ms-Exch-Message-Hygiene-Conten
                                          t-Filter-Config
  ObjectClass                           : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
  WhenChanged                           : 5/28/2014 12:15:21 PM
  WhenCreated                           : 5/1/2014 4:17:55 PM
  WhenChangedUTC                        : 5/28/2014 7:15:21 PM
  WhenCreatedUTC                        : 5/1/2014 11:17:55 PM
  OrganizationId                        :
  OriginatingServer                     : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  IsValid                               : True
  ObjectState                           : Unchanged
   This is what it is set at now. Completely disabled. It worked fine for quite some time filtering out spam pretty nicely then one day everyone's mail was being rejected as spam by the content filtering agent. I know of someone else who also had this
  issue except their box was running 2008R2 with EX2007. They too disabled the content filter as it was giving them too many problems with mail being rejected.
  fr0stsp1re