This functionality enables you to specify conditions and assign filtered email actions. You can define your custom sender verification and anti-spoofing rules with conditions containing authentication methods (DKIM, DMARC and SPF). While making a policy > Rules > click Edit next to Email rules to create a new rule or modify an existing one.
1.To create a new rule, click Create to open a wizard.
2.Type a Name for the rule (something you will recognize), and the name will be shown on the list of rules. If you want to prepare the rule and plan to use them later, you can click the toggle next to Active to inactive the rule.
3.Follow the wizard to specify Conditions and Actions. Click Add new condition, select the condition Source from the drop-down menu and configure appropriate values.
4.Define your conditions first and then specify the corresponding actions. You can add multiple conditions and actions to a single rule. If you do so, all conditions must be met to apply the rule. All conditions are connected using the logical operator AND. Even if most conditions are met and one is not, the condition evaluation result is not met, and the rule's action cannot be taken.
Select the condition Source from the drop-down menu. Parameter fields will change depending on selected source. Alternatively, you can specify Regular expression by selecting Match type: RegEx match.
Condition Source
|
Description
|
Sender
|
Applies to messages sent by a specific sender.
|
Sender's IP address
|
Applies to messages sent from a specific IP address. When adding a new address as a condition, both IPv4 and IPv6 are accepted.
|
Sender domain
|
Applies to messages from a sender with a specific domain in their email addresses.
|
From / From Name
|
"From:" value contained in message headers. This display name is visible to the recipient, but no checks are done to ensure that the sending system is authorized to send on behalf of that address. It is commonly used by attackers when spoofing the sender. This condition is used to compare the domain(s) contained in the "From:" email header field and Envelope sender against the domain lists.
|
Envelope sender (SMTP sender)
|
MAIL FROM envelope attribute used during SMTP connection, also used for SPF verification.
|
Subject
|
Applies to messages that contain or do not contain a specific string (or a regular expression) in the subject.
|
Body
|
Message body is searched for a specified phrase. You can use the Strip HTML tags feature to remove HTML tags, attributes and values, and preserve text only. The body text will then be searched.
|
Attachment name
|
Applies to messages containing attachments with a specific name. This includes files contained within an archive.
Evaluate for top-level attachment only - When enabled, files inside an archive will not be evaluated.
Use full path for objects inside attachment - When enabled, the object's full path will be evaluated, not just the filename.
|
Attachment extension
|
Applies to messages with an attachment that does not meet a specified size, is within a specified size range, or exceeds a specified size.
|
Attachment type
|
Applies to messages with a specific file type attached. File types are categorized into groups for easy selection. You can select multiple file types or whole categories. ESET Cloud Office Security detects the actual file type regardless of the file extension. The same applies to an archive's content.
Evaluate for top-level attachment only - When enabled, files inside an archive will not be evaluated.
|
|
The Attachment type rule condition has a known limitation where ESET Cloud Office Security detection engine cannot detect extra small text files under 10 bytes in length in ASCII/ANSI encoding.
|
|
Received time
|
Applies to messages received before or after a specific date or during a specific date range.
|
SPF result
SPF result - From header
SPF result HELO
|
Applies to messages with the SPF (Sender Policy Framework) evaluation result:
Pass - the IP address is authorized to send from the domain (SPF qualifier "+").
Fail - SPF record does not contain the sending server or IP address (SPF qualifier "-").
Soft fail - the IP address may or may not be authorized to send from the domain (SPF qualifier "~").
Neutral - means the domain owner stated in the SPF record that they do not want to assert that the IP address is authorized to send from the domain (SPF qualifier "?").
Not available - SPF result of None means that the domain published no records or that no checkable sender domain could be determined from the given identity.
You can read RFC 4408 for more details about SPF.
|
DMARC result
|
Applies to messages that Passed or Failed verification by SPF, DKIM or both, alternatively if Unknown.
|
DKIM
|
Applies to messages that Passed or Failed DKIM verification, alternatively if Unknown.
|
Headers
|
Email message header field names and values are used as condition.
Comparison type:
Header names—matching header names, the condition is met when the specified header name exists.
Header values—matching header names and header values, the match type is used only for the header values according to the selected Match type. To meet the condition, specified header names must be an exact match (the Match type does not affect header name values).
|
Malware scan result
|
Choose from the drop-down menu what messages the rule will apply to. Option: Not scanned, Clean, Infected, Disabled.
|
Phishing scan result
|
Choose from the drop-down menu what messages the rule will apply to. Option: Not scanned, Clean, Phishing, Disabled.
|
Spam scan result
|
Choose from the drop-down menu what messages the rule will apply to. Option: Not scanned, Clean, Spam, Disabled.
|
Scan result
|
Choose from the drop-down menu what messages the rule will apply to. Option: Disabled, Malware, Phishing, Spam, Analyzing, Error, Clean, Not scanned.
|
Add body banner
|
A banner will be added to an email message and displayed to the recipient. You can customize the appearance of the banner when it is included in the message.
|
|
You can add actions for messages and/or attachments that match rule conditions.
Action name
|
Description
|
Quarantine message
|
The message will not be delivered to the recipient and will be moved to the mail quarantine. Enable Can be released by users if you want to allow non-administrator users to release emails quarantined by this rule (using the web interface or quarantine reports).
|
Delete message
|
Deletes an infected message.
|
Delete attachments
|
Deletes a message attachment. The message will be delivered to the recipient without the attachment.
|
Skip scan
|
Message will not be scanned by the Malware, Phishing and Spam protection.
|
Notify owner
|
Define Subject and Message text that will be sent to the email recipient/owner to get them notified.
|
Notify admins
|
Enter Admin emails, define Subject and Message text that will be sent to administrators as a notification.
|
Add subject prefix
|
Adds a prefix to a subject.
|
Evaluate next rules
|
Allows the evaluation of next rules, enabling the user to define multiple sets of conditions and multiple actions to take given the conditions.
|
Move to Junk
|
Message will be put into the Junk/Spam folder of the user's mailbox.
|
Add body banner
|
A banner will be added to an email message and displayed to the recipient. You can customize the appearance of the banner when it is included in the message.
|
|
