ESET Cloud Office Security
 
ESET Cloud Office Security – Table of Contents

Email rules

This functionality enables you to specify conditions and assign filtered email actions. You can define your custom sender verification and anti-spoofing rules with conditions containing authentication methods (DKIM, DMARC and SPF). While making a policy > Rules > click Edit next to Email rules to create a new rule or modify an existing one.

1.To create a new rule, click Create to open a wizard.

2.Type a Name for the rule (something you will recognize), and the name will be shown on the list of rules. If you want to prepare the rule and plan to use them later, you can click the toggle next to Active to inactive the rule.

3.Follow the wizard to specify Conditions and Actions. Click Add new condition, select the condition Source from the drop-down menu and configure appropriate values. Define your conditions first and then specify the corresponding actions. You can add multiple conditions and actions to a single rule.

Conditions

Select the condition Source from the drop-down menu. Parameter fields will change depending on selected source. Alternatively, you can specify Regular expression by selecting Match type: RegEx match.

Condition Source

Description

Sender

Applies to messages sent by a specific sender.

Sender's IP address

Applies to messages sent from a specific IP address. When adding a new address as a condition, both IPv4 and IPv6 are accepted.

Sender domain

Applies to messages from a sender with a specific domain in their email addresses.

From / From Name

"From:" value contained in message headers. This display name is visible to the recipient, but no checks are done to ensure that the sending system is authorized to send on behalf of that address. It is commonly used by attackers when spoofing the sender. This condition is used to compare the domain(s) contained in the "From:" email header field and Envelope sender against the domain lists.

Envelope sender (SMTP sender)

MAIL FROM envelope attribute used during SMTP connection, also used for SPF verification.

Subject

Applies to messages that contain or do not contain a specific string (or a regular expression) in the subject.

Body

Message body is searched for a specified phrase. You can use the Strip HTML tags feature to remove HTML tags, attributes and values, and preserve text only. The body text will then be searched.

Attachment name

Applies to messages containing attachments with a specific name. This includes files contained within an archive.

Evaluate for top-level attachment only - When enabled, files inside an archive will not be evaluated.

Use full path for objects inside attachment - When enabled, the object's full path will be evaluated, not just the filename.

Attachment extension

Applies to messages with an attachment that does not meet a specified size, is within a specified size range, or exceeds a specified size.

Attachment type

Applies to messages with a specific file type attached. File types are categorized into groups for easy selection. You can select multiple file types or whole categories. ESET Cloud Office Security detects the actual file type regardless of the file extension. The same applies to an archive's content.

Evaluate for top-level attachment only - When enabled, files inside an archive will not be evaluated.

 

Note

The Attachment type rule condition has a known limitation where ESET Cloud Office Security detection engine cannot detect extra small text files under 10 bytes in length in ASCII/ANSI encoding.

Received time

Applies to messages received before or after a specific date or during a specific date range.

SPF result
SPF result - From header
SPF result HELO

Applies to messages with the SPF (Sender Policy Framework) evaluation result:

Pass - the IP address is authorized to send from the domain (SPF qualifier "+").

Fail - SPF record does not contain the sending server or IP address (SPF qualifier "-").

Soft fail - the IP address may or may not be authorized to send from the domain (SPF qualifier "~").

Neutral - means the domain owner stated in the SPF record that they do not want to assert that the IP address is authorized to send from the domain (SPF qualifier "?").

Not available - SPF result of None means that the domain published no records or that no checkable sender domain could be determined from the given identity.

You can read RFC 4408 for more details about SPF.

DMARC result

Applies to messages that Passed or Failed verification by SPF, DKIM or both, alternatively if Unknown.

DKIM

Applies to messages that Passed or Failed DKIM verification, alternatively if Unknown.

Headers

Email message header field names and values are used as condition.

Comparison type:

Header names—matching header names, the condition is met when the specified header name exists.

Header values—matching header names and header values, the match type is used only for the header values according to the selected Match type. To meet the condition, specified header names must be an exact match (the Match type does not affect header name values).

Malware scan result

Applies to messages flagged as malicious or not malicious.

Phishing scan result

Applies to messages that were evaluated as phishing.

Spam scan result

Applies to messages flagged or not flagged as ham or spam.

Scan result

Applies to messages that were evaluated by scan type selected as option.

Actions

You can add actions for messages and/or attachments that match rule conditions.

Action name

Description

Add subject prefix

Adds a prefix to a subject.

Delete attachments

Deletes a message attachment. The message will be delivered to the recipient without the attachment.

Delete message

Deletes an infected message.

Evaluate next rules

Allows the evaluation of next rules, enabling the user to define multiple sets of conditions and multiple actions to take given the conditions.

Quarantine message

The message will not be delivered to the recipient and will be moved to the mail quarantine. Enable Can be released by users if you want to allow non-administrator users to release emails quarantined by this rule (using the web interface or quarantine reports).

Skip scan

Message will not be scanned by the Malware, Phishing and Spam protection.

Move to Junk

Message will be put into the Junk/Spam folder of the user's mailbox.

Notify owner

Define Subject and Message text that will be sent to the email recipient/owner to get them notified.

Notify admins

Enter Admin emails, define Subject and Message text that will be sent to administrators as a notification.

Add body banner

A banner will be added to an email message and displayed to the recipient. You can customize the appearance of the banner when it is included in the message.