Dr.Web allows you to use a filtering system to reduce the server load in case of spam attacks by taking the unnecessary messages out of the server transport system before they are checked for viruses and spam. For effective filtering, creating an optimal filtering rules set without contradictory or excess rules is essential.
Before filtering, the group which sender of the message belongs to is identified. If the sender belongs to one of the created groups, filtering rules specified in the profile corresponding to this group will be applied to the message. If the sender does not belong to any groups, settings of the Default profile will be applied to the message. Therefore, if it is necessary to apply the filtering rule to all the messages not included in groups, create this rule in the Default profile settings.
If the sender profile does not contain any limits, the message is filtered by the rules created for the recipients addresses. Every address from the recipients list relates to its own group (an AD group or a list of email addresses), and every group has its own profile assigned to it. The profile with the highest priority is applied. Therefore, if you want to set limitations on a created group of recipients, do not create filtering rules in the Default profile, but create a separate profile to assign to this group.
|
If it is necessary to create specific groups of recipient without any limits imposed by filtering, do not configure filtering rules in the Default profile, because if the message is filtered by applying the filters set for senders, it is excluded from further processing by recipients filters. |
At first every message is processed by the anti-spam transport agent. At this stage the filtering rules are applied to the message as to the whole entity. Messages are filtered by the number of senders and recipient, by subject, number of attachments, etc. After the filtering, unfiltered messages are checked for spam (see Figure 8).
After checking for spam, the message is processed by the anti-virus agent. At this stage the filtering rules are applied to the message as to the set of files, the message body is considered as a file too. Messages are filtered by file size, name, extension, etc. After the filtering, unfiltered messages are checked for viruses (see Figure 8).
Figure 8. Filtering messages in the transport system
The traffic filtering is configured in the Filtering pane (see Figure 9). Filters are applied according to certain rules which can be added by the administrator. These rules determine the conditions for the filtering by the properties of messages and their attachments.
Figure 9. Filtering pane
If you are working with the Filtering component for the first time, the list of rules will be empty. You can create and configure filtering rules.
To configure message filtering
1.Select Enable filteringat the top of the Filtering pane. This makes the parameters in the section available for editing.
You can apply fileting rules to either the source or to the recipient, or to both source and recipient.
For example, you can create a rule for the message subjects that includes the word “Attention”. If you set this rule for the source only, you will not be able to send messages with the word “Attention” in the subject. If you set this rule for the recipient, you will not be able to receive messages with the word Attention in the subject. If you set this rule for both source and recipient, you will not be able to receive nor to send messages with the word “Attention” in the subject.
2.Enable one or more filters from the list by selecting the corresponding check boxes. If the list of filters is empty, you can create them.
3.Select the actions for the email messages with attachments on the Attachment settings section.
For the messages, you can select one of the following actions:
•Delete—to delete message.
•Add prefix to subject—to let the message through and add to its subject a prefix specified in the Subject prefix.
For attachments, the following actions are available:
•Move to quarantine—to isolate the attachment in quarantine.
•Delete—to delete the attachment.
In the Subject prefix field, specify the prefix added to the subject of the filtered message. The default prefix is ***FILTERED***.
In the File name suffix field, specify the suffix added to the name of the text file attached to the filtered message. The default suffix is _filtered.txt.
In the File contents field, enter the text of the file added to the filtered message. While editing the text, you can add macros from the Macros drop-down list.
1.Click Add under the filters list. A Filter rule window will open (see Figure 10). You can enter the name of the rule and specify its conditions in this window.
Figure 10. Configure filtering rule
|
When specifying a rule name, you are allowed to use only letters of the Latin alphabet, spaces, and the following special characters: @ _ <> & ! : . [] () - ' ". |
2.To add a condition, click Add. In the new window, select the condition type, specify the value and the type of compliance with the specified value. The types of conditions, compliance and possible values are listed in the table below:
Condition type |
Compliance type |
Value |
|---|---|---|
Equal to Not equal to |
File Message |
|
Data source |
Equal to Not equal to Contains Does not contain Matches Does not match |
Specified manually |
Data recipient |
Equal to Not equal to Contains Does not contain Matches Does not match |
Specified manually |
Protocol |
Equal to Not equal to |
SMTP MAPI |
Number of recipients |
Equal to Not equal to Greater than Less than or equal to Less than Greater than or equal to |
Specified manually |
File name |
Equal to Not equal to Contains Does not contain Matches Does not match |
Specified manually |
File size |
Equal to Not equal to Greater than Less than or equal to Less than Greater than or equal to |
Specified manually (in bytes) |
Message subject |
Equal to Not equal to Contains Does not contain Matches Does not match |
Specified manually |
Has attachment |
Equal to Not equal to |
True False |
|
In case one of the Contains, Does not contain, Matches or Does not match compliance types is selected for any of the Data source, Data recipient, File name or Message subject conditions, you can use the asterisk (*) and question mark (?) wildcard characters to substitute a sequence of symbols or only one symbol in the entered text value.
You can also use the File name condition to filter the attached files by extension. For example, exe, bat, pif, com, vbs, scr, lnk, ps1, PSD1, PSM1, DOTM, PPSM, POTM, XLTM, XLAM, etc.
The filter is case insensitive. When specifying a value, you can use uppercase and lowercase characters. |
Once a condition is added to a filtering rule, it is converted into a string with certain operators. Their descriptions are listed in the table below:
Operator |
Description |
Example |
|---|---|---|
EQ |
Equal to |
(EQ %MessageSubject% "News") Filtering of messages with the “News” subject. The value (News) is case sensitive. |
NE |
Not equal to |
(NE %MessageSubject% "News") Filtering of all messages except those with the “News” subject. |
GT |
Greater than |
(GT %NumberOfRecipients% 5u32) Filtering of messages with 6 or more recipients. |
LE |
Less than or equal to |
(LE %NumberOfRecipients% 5u32) Filtering of messages with 1–5 recipients. |
LT |
Less than |
(LT %NumberOfRecipients% 5u32) Filtering of messages with 1–4 recipients. |
GE |
Greater than or equal to |
(GE %NumberOfRecipients% 5u32) Filtering of messages with 5 or more recipients. |
CONTAIN |
Contains |
(CONTAIN "News" %MessageSubject%) Filtering of messages with the word “News” in the subject. |
MATCH |
Matches |
(MATCH "News" %MessageSubject%) Filtering of messages with the “News” subject. The value (News) is case insensitive. |
NOT |
Opposite condition |
(NOT (CONTAIN "News" %MessageSubject%)) or (NOT (MATCH "News" %MessageSubject%)) Filtering of all messages except those with the word “News” in the subject or those with the “News” subject. |
OR |
Any condition |
(OR (CONTAIN "News" %MessageSubject%) (CONTAIN "History" %MessageSubject%)) Filtering of messages with the words “News” or “History” in the subject. |
AND |
All conditions |
(AND (CONTAIN "News" %MessageSubject%) (CONTAIN "History" %MessageSubject%)) Filtering only those messages with the words “News” and “History” in the subject. |
3.To delete or edit any of the specified conditions, select it in the list and click Delete or Edit respectively.
Example of the file size filtering rule
To filter files by size, use the rule (see Figure 11) containing the following condition:
|
Figure 11. Example of the file size filtering rule
Example of the file name filtering rule
To filter incoming messages by the file name, use the rule (see Figure 12) containing any of the following conditions:
|
Figure 12. Example of the file name filtering rule
Example of the subject filtering rule
To filter incoming messages by subject, use the rule (see Figure 13) containing the following condition:
|
Figure 13. Example of the subject filtering rule
To edit or delete an existing filtering rule
1.Select the rule in the list of filters an click Edit or Delete under the list.
2.Click Save when you are done configuring the filtering rules.
|
In some cases, filtering may affect the mail system performance, so the following actions are recommended: •Add exclusions to TrustedEmails parameter. The system mail boxes accounts are stored in Active Directory and their names begin with "HealthMailbox". •Do not create filters that delete small files (less than 1000 bytes) to prevent filtering of the notifications. Otherwise, you may encounter "looping", when the notification is refiltered, over and over. |