• No results found

Pattern Based Message Filtering

In document M1000, M2000, M3000. eprism User Guide (Page 109-117)

Pattern Based Message Filtering

Pattern Based Message Filtering is the primary tool for whitelisting and blacklisting messages.

An administrator can specify that mail is rejected or whitelisted according to the contents of the message header, including the sender, recipient, subject, and body text.

Pattern Based Message Filtering has the following main characteristics:

Filters can be specified using simple English terms such as "contains" and "matches" or using POSIX regular expressions

Filters are processed in the order of their priority

The actions can be used to modify the behavior of the STA spam filter

For example, you can create a simple text filter that specifies to check messages for the word

"FREE" in the subject. These types of filters can be helpful in correcting obvious disadvantages in the other spam filters, but they can create problems of long term maintenance.

St. Bernard recommends that you use Pattern Based Message Filtering sparingly for anti-spam purposes because it has three main disadvantages:

Time required to specify and then maintain the rules

Ease with which spammers can circumvent simple word matches

Spammers fake the contents of the message headers

Email Message Structure

The following is an example of a typical mail message:

Message Envelope

The information in the message envelope, such as HELO, MAIL FROM, and RCPT TO, are parameters not visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them.

Pattern Based Message Filtering

Received from — This marks the origin of the message. Note that it is not necessarily the same as the actual system that originated the message.

Subject — This is a free form field and displayed by a typical mail client.

To — This is a free form field and displayed by a typical mail client. It does not need to be accurate and may be different from the destination address in the Received headers or from the actual recipient.

From — This is a free form field and is displayed by a typical mail client. It does not need to be accurate and may be different from the From address in the Received headers. It is typically faked by spammers.

Message-ID — This is added by the mail server and is often faked by spammers.

Other header fields include Reply-to, Sender and so on. These fields can be forged by spammers because they do not affect how the mail is delivered.

Message Body

Following the header is the text or content of the message. This content can be formatted or encoded in many different ways, but in this example, it is displayed as plain text.

Configuring Pattern Based Message Filtering

Select Mail Delivery -> Anti-Spam, and select Pattern Based Message Filtering on the menu.

Click the Add button to add a new pattern to the filter list.

Select the Message Part you want to filter on. ePrism allows you to filter on the following parameters:

Message Envelope Parameters

These parameters will not be visible to the user. They are the "handshake" part of the SMTP protocol. You will need to look for these in the transport logs or have other knowledge of them.

<<Mail Envelope>> — This parameter allows for a match on any part of the message envelope which includes the HELO, Client IP and Client Host.

HELO — This field is easily faked, and is not recommended for use in spam control. It may be useful in whitelisting a source of mail. Example: mail.example.com.

Client IP — This field will be accurately reported and may be reliably used for both blacklisting and whitelisting. It is the IP address of the system initiating the SMTP connection. Example:

192.168.1.200.

Client Host — This field will be accurately reported and may be reliably used for both blacklisting and whitelisting. Example: mail.example.com.

The following envelope parameters (Envelope Addr, Envelope To and Envelope From) may be visible if your client supports reading the message source, such as with ePrism Mail Client. They can also be found in the transport logs. Other header fields may be visible as supported by the mail client.

Envelope Addr — This matches on either the Envelope To or Envelope From. These fields are easily faked, and are not recommended for use in spam control. They may be useful in

whitelisting a source of mail. Example: [email protected].

Envelope To — This field is easily faked, and is not recommended for use in spam control. It may be useful in whitelisting a source of mail. Example: [email protected].

Envelope From — This field is easily faked, and is not recommended for use in spam control.

It may be useful in whitelisting a source of mail. Example: [email protected]. Message Header Parameters

Spammers will typically enter false information into these fields and, except for the Subject field, they are usually not useful in controlling spam. These fields may be useful in whitelisting certain users or legitimate source of email.

Pattern Based Message Filtering

To:

There are other header fields that are commonly used, such as List-ID, as well as those added by local mail systems and clients. You must use Regular Expressions (described below) to specify these.

Message Body Parameters

<<Raw Mail Body>> — This parameter allows for a match on any part of the encoded message body. This encoded content includes Base64, MIME, and HTML. Since messages are not decoded, a simple text match may not work. Use <<Mail Content>> for text matching on the decoded content.

<<Mail Content>> — This parameter allows for a match on the visible decoded message body.

STA Token

STA tokens can also be selected for pattern based message filters. This allows you to match patterns for common spam words that could be hidden or disguised with fake or invisible HTML text comments, which would not be caught by a normal pattern filter. For example, STA extracts the token "viagra" from the text "vi<spam>ag<spam>ra" and "v.i.a.g.r.a.".

Match Option

Matching looks for the specified text in each line. You can specify one of the following:

Contains — Looks for the text to be contained in a line or field. This allows for spaces or other characters that may make an exact match fail.

Ends with — Looks for the text at the end of the line or field (no characters, spaces and so on, between the text and the non-printed end-of-line character.)

Matches — The entire line or field must match the text.

Starts with — Looks for the text at the start of the line or field (no characters between the text and the start of line.)

Pattern

Enter the pattern you wish to search for. You may also use Regular Expressions which allow you to specify match rules in a more flexible and granular way. They are based on the standard POSIX specification for Regular Expressions.

For example, to search for a "blank" message field, use the following:

^subject:[[:blank:]]*$

Note: Although the Regular Expression feature is supported, St. Bernard cannot help with devising or debugging Regular Expressions because they have an infinite variety and can be very complex. Using Regular Expressions is not recommended unless you have advanced knowledge of their use.

Priority

Select a priority for the filter (High, Medium, Low). The entire message is read before making the decision. If a message matches multiple filters, the filter with the highest priority will be used.

If more than one matched filter has the highest priority, the filter with the strongest action will be used, in order, from highest priority to lowest (Spam, Reject, Trust, Relay, Valid, Accept). If more than one matched rule has the highest priority and highest action, then the filter with the highest rule number will be used.

Action

When a rule has been triggered, the specified action is carried out:

Reject — Mail is received, then rejected before the close of an SMTP session.

Spam — Mail is received, then trained as spam for STA, and then rejected.

Accept — Mail is delivered normally and not trained by STA, or marked as spam or bulk.

Attempted relays are rejected.

Valid — Mail is delivered normally and trained as valid by STA. Attempted relays are rejected.

Relay — Relay is enabled for this mail. Mail is not trained by STA.

Trust — Relay is enabled for this mail. Mail is trained as valid by STA.

Do Not Train — Do not use the message for STA training purposes.

BCC — Send a blind carbon copy mail to the mail address specified in Action Data. This option only appears if you have a BCC Email Address set up in the Preferences section.

Just Log — Take no action, but log the occurrence. Just Log can be used to override other lower priority PBMFs to test the effect of PBMFs without an action taking place.

Note: The "Relay" or "Trust" action can only be used with an Envelope message part because attempted relays must be rejected immediately after the envelope transaction.

Pattern Based Message Filtering

The file (pbmf.csv) should be created in csv file format using Excel, Notepad or other Windows text editor. It is recommended that you download the PBMF file first by clicking Download File, edit it as required, and upload it using the Upload File button.

PBMF Preferences

Select the Preferences button to configure actions for spam pattern based message filters. These actions allow you to process the spam message with an additional action such as Redirect To or Modify Subject Header. You can also train the PBMF spam mail for STA purposes.

Train as STA Spam — Select this option to allow any mail that triggers an action to be trained as spam for STA purposes.

Action — Specify one of the following actions:

Just log: An entry is made in the log, and no other action is taken.

Modify Subject Header: The text specified in Action Data will be inserted into the message subject line.

Add header: An "X-" mail header will be added as specified in the Action Data.

Redirect to: The message will be delivered to the mail address specified in Action Data.

Reject mail: The mail will not be accepted, and the connecting mail server is forced to return it.

BCC: Send a blind carbon copy mail to the mail address specified in Action Data.

Action data — Depending on the specified action:

Modify Subject Header: The specified text will be inserted into the subject line, such as [PBMF_SPAM].

Add header: A message header will be added with the specified text, such as [PBMF_SPAM].

Redirect to: Send the message to a mailbox such as [email protected]. You can also specify a domain such as spam.example.com.

PBMF BCC Action — Send a blind carbon copy of the message to the address specified. This is a separate action from the PBMF spam actions.

In document M1000, M2000, M3000. eprism User Guide (Page 109-117)
Download now "M1000, M2000, M3000. e..."

Outline

Related documents