5.10 Compound Filter Rules
5.10.2 Creating a Compound Filter Rule
To create a new compound filter rule, click Add a New Rule. The Compound Filter Rule editor appears. Figure5.10shows a rule partway through the editing process:
Figure 5.10: Compound Filter Rule Editor
A compound rule consists of one or more groups. Each group is joined to the following group with a logical operator. The possible logical operators are:
• AND - the rule fires only if both groups are true.
• OR - the rule fires if either group is true.
• AND NOT - the rule fires if the first group is true and the second is false.
• OR NOT - the rule fires if the first group is true or the second is false.
A group consists of one or more conditions. Each condition is joined to the following condition with a logical operator, just as groups are joined together.
Normally, the AND and AND NOT operators take precedence over OR and OR NOT. However, groups act as parentheses: All conditions in one group are evaluated as a unit with respect to other groups.
Example 1
• (Subject Contains test) OR (Subject Contains foo) AND
• (Header Sender is not [email protected]) AND (Header sender is not [email protected]) Is intepreted as:
((Subject contains test) OR (Subject contains foo)) AND ((Header Sender is not [email protected]) AND (Header sender is not [email protected]))
50 CHAPTER 5. BLACKLISTS, WHITELISTS AND RULES
Example 1
• (Subject Contains test) OR (Subject Contains foo) AND (Size = 1024) Is intepreted as:
(Subject Contains test) OR ( (Subject Contains foo) AND (Size = 1024) ) because AND takes precedence over OR.
Conditions
Within a compound rule, a condition consists of a field, a relation and data. (Note that some rela-tions such as “Contains Credit Card Number”, “Contains Canadian Social Insurance Number” and
“Contains US Social Security Number” do not require a data field; selecting such a relation clears and disables the data box.)
These are similar to the corresponding items in Custom Rules; see Section5.8for details.
Within the Compound Filter Rule editor, you can take the following actions:
• If the rule already contains a condition, select a logical operator to combine a new condition with the previous one.
• Select a field (Subject, Sender, etc.) to begin creating a new condition.
• Select a relation (Contains, Matches, etc.) to continue creating a new condition.
• Enter data in the text box to finish creating a new condition.
• Click Add to add the new condition to the current group.
• Click Add as New Group to add the new condition as the start of a new group as opposed to joining the new condition to the conditions in the current group.
For example, if the current rule looks like this:
– (Subject Contains test) OR (Subject contains foo)
and you are adding the condition (Subject contains quux) with an AND operator, then clicking Add results in:
– (Subject Contains test) OR (Subject contains foo) AND (Subject contains quux) which is interpreted as:
– (Subject Contains test) OR ((Subject contains foo) AND (Subject contains quux))
5.10. COMPOUND FILTER RULES 51
– (Subject contains quux) which is interpreted as:
– ((Subject Contains test) OR ((Subject contains foo)) AND (Subject contains quux)
• Click Delete to delete the most recently-added condition.
• Set the score, expiry or comment by entering data in the corresponding field.
Note: Compound rules with a zero score are not evaluated by CanIt-Domain-PRO during mail scan-ning. They are completely ignored. If you wish to make a test compound rule that does not alter the final score much, give it a score of 0.01 to ensure that CanIt-Domain-PRO actually evaluates the rule.
• Click Save to save the compound rule.
Compound Rules affer the following fields:
• Attachment Filename — matches against any attachment filenames.
• Country Code — matches against the two-letter ISO 3166 country-code of the sending SMTP relay.
• Envelope Recipient — matches against any envelope recipient (the email addresses in SMTP
“RCPT To:” commands.)
• Envelope Sender — matches against the envelope sender (the email address in the SMTP
“MAIL From:” command.)
• Header From — matches against the email address in the “From:” header.
• Header Sender — matches against the email address in the “Sender:” header. Since most email messages lack a Sender: header, this field is not usually useful.
• Domain of Envelope Sender — matches against the domain part of the envelope sender (the email address in the SMTP “MAIL From:” command.) The domain part is everything after the
@sign in an email address.
• Domain of Header From — matches against the domain part of email address in the “From:”
header.
• Domain of Header Sender — matches against the domain part of the email address in the
“Sender:” header. Since most email messages lack a Sender: header, this field is not usually useful.
• Subject — matches against the message subject.
• To or From — matches against both Envelope Sender and Envelope Recipient.
52 CHAPTER 5. BLACKLISTS, WHITELISTS AND RULES
• Sending Relay Address — matches against the IP address of the sending relay. This may be the machine that actually connected via SMTP to the CanIt-Domain-PRO scanner, or it may be a machine parsed out of the Received: headers of the email.
• Sending Relay Hostname — matches against the host name of the sending relay. This may be the machine that actually connected via SMTP to the CanIt-Domain-PRO scanner, or it may be a machine parsed out of the Received: headers of the email.
• Body — matches the body of the message (line-by-line) after MIME decoding.
• Client HELO — matches the argument of the sending relay’s SMTP “HELO” or “EHLO”
command.
• DKIM Result — matches against the DKIM result.
• Header — matches headers, line-by-line.
• Link Type of SMTP Client — matches the link type of the connecting server as determined by the Passive OS Fingerprinting system.
• Message-ID — matches the Message-ID: header contents.
• OS Name and Version of SMTP Client — allows you to match based on the operating system name and version determined by the Passive OS Fingerprinting system.
• OS Name of SMTP Client — allows you to match based on the operating system name deter-mined by the Passive OS Fingerprinting system.
• Connecting Relay Address — matches against the IP address of the relay that initiated the SMTP connection to the CanIt-Domain-PRO scanner.
• Connecting Relay Hostname — matches against the host name of the relay that initiated the SMTP connection to the CanIt-Domain-PRO scanner.
• Raw Body — matches the raw body of the message (line-by-line) without any MIME decoding.
• SPF Result — matches the SPF result.
• Size – matches the size of the raw message, in bytes.
• List of RUles Hit — matches against the list of built-in rules that have already hit. This list is internally matched as a comma-separated string. Here are some examples of how you would match rules that have hit:
– To match a SpamAssasin rule like RP D 00001, use “contains RP D 00001”.
– To match a plugin rule like OfficeMacroAuto Open, use “contains Of-ficeMacroAuto Open”.
5.10. COMPOUND FILTER RULES 53
– To match a DKIM hit, use “contains DKIM(pass:”. You can substitute whatever DKIM result you are looking for in place of “pass”. Note the parenthesis and trailing colon; they are required.
– To match an RBL hit, use “contains RBL(tagname:” where tagname is the tag name associated with the RBL in the master list of RBLs.
– To match a custom rule with ID 12345, use “contains ,12345:”. Note the leading comma and trailing colon; both are required.
– You can not match against another compound rule. That is, no compound rules will appear yet in the list of rules that were hit.
For fields that can match multiple items (such as Header, Envelope Recipient, Attachment Filename, etc.), CanIt-Domain-PRO uses the following rules:
• If the relation is a positive relation such as “Contains”, “Is”, “Ends with”, etc, then the condition matches if any of the items matches.
• If the relation is a negative relation such as “Is not”, “Does not match RegExp” or “Does not contain”, then the condition does not match if any of the items violates the relation.