Rule condition
This wizard lets you add conditions for a rule. Select condition Type and an Operation from the drop-down list. The list of operations changes depending on what rule type you've chosen. Then select a Parameter. Parameter fields will change depending on rule type and operation. For example, choose File size > is greater than and under Parameter specify 10 MB. Using these settings, any file that is larger than 10 MB will be processed using rule actions you have specified. For this reason you should specify the action that is taken when a given rule is triggered if you have not done so when setting parameters for that rule.
Condition type has associated the following Operations:
•String: is, is not, contains, doesn't contain, matches, doesn't match, is in, is not in, matches regular expression, does not match regular expression
•Number: is less than, is greater than, is between
•Text: contains, doesn't contain, matches, doesn't match
•Date-time: is less than, is greater than, is between
•Enum: is, is not, is in, is not in
If you want to import your custom list from a file instead of adding every single entry manually, right-click in the middle of the window and select Import from the context menu, then browse for your file (.xml or .txt) that contains entries (delimited by new lines) you want to add to the list. Likewise, if you need to export your existing list to a file, select Export from the context menu.
Alternatively, you can specify Regular expression, select Operation: matches regular expression or does not match regular expression.
NOTE ESET Mail Security uses std::regex. Refer to ECMAScript syntax |
for constructing regular expressions. Regular expression syntax is not case sensitive.IMPORTANT You can define multiple conditions. If you do so, all of the conditions must be met for the rule to be applied. All conditions are connected using the logical operator AND. Even if most of the conditions are met and only a single one isn't, the condition evaluation result is considered not met and the rule's action cannot be taken. |
The following conditions are available for Mail transport protection, Database protection and On-demand database scan (some of the options might not display depending on your previously selected conditions):
Condition name |
Description |
|||
|---|---|---|---|---|
Subject |
✓ |
✓ |
✓ |
Applies to messages which contain or do not contain a specific string (or a regular expression) in the subject. |
Sender |
✗ |
✓ |
✓ |
Applies to messages sent by a specific sender. |
SMTP sender |
✓ |
✗ |
✗ |
MAIL FROM envelope attribute used during SMTP connection. Also used for SPF verification. |
Sender's IP address |
✓ |
✗ |
✗ |
Applies to messages sent from a specific IP address. |
Sender's domain |
✓ |
✓ |
✓ |
Applies to messages from a sender with a specific domain in their email addresses. |
SMTP sender's domain |
✓ |
✗ |
✗ |
Applies to messages from a sender with a specific domain in their email addresses. |
From header - address |
✓ |
✗ |
✗ |
"From:" value contained in message headers. This is the address that is visible to the recipient, but no checks are done that the sending system is authorized to send on behalf of that address. It is often used for spoofing the sender. |
From header - display name |
✓ |
✗ |
✗ |
"From:" value contained in message headers. This is the display name that is visible to the recipient, but no checks are done that the sending system is authorized to send on behalf of that address. It is often used for spoofing the sender. |
Recipient |
✓ |
✓ |
✓ |
Applies to messages sent to a specific recipient. |
Database name |
✗ |
✓ |
✗ |
Applies to database with specified name, regardless of it location. Every database with that name will be considered. |
Database path |
✗ |
✓ |
✗ |
Applies to database in specified location. Database path consists of a path and a database name (for example mail\user1.nsf). This gives you more options when creating a condition based on a particular database in specific location, or multiple databases in the same location. •Enter path including database name, if you want the rule to apply to a specific database. •Enter path only, and the rule will apply to all databases located in specified folder and all its subfolders. You must use operation contains / contains one of, otherwise the rule will not work. If you use operation contains / contains one of, you can specify a string that is part of the path or database name and the rule will apply to such path or database. The path is relative to the Domino data directory. It also supports database link relative to the Domino data directory. |
Attachment name |
✓ |
✓ |
✓ |
Applies to messages containing attachments with a specific name. |
Attachment size |
✓ |
✓ |
✓ |
Applies to messages with an attachment that does not meet a specified size, is within a specified size range, or exceeds a specified size. |
Attachment type |
✓ |
✓ |
✓ |
Applies to messages with a specific file type attached. File types are categorized in groups for easy selection, you can select multiple file types or whole categories. |
Message body |
✓ |
✓ |
✓ |
Message body is searched for specified phrase. You can use Strip HTML tags feature to get rid off HTML tags, attributes and values, and preserve text only. The body text will then be searched. |
Message size |
✓ |
✗ |
✗ |
Applies to messages with attachments that do not meet a specified size, are within a specified size range or exceed a specified size. |
Message headers |
✓ |
✗ |
✗ |
Applies to messages with specific data present in the message header. |
Signed message |
✓ |
✗ |
✗ |
Applies to signed messages. |
Encrypted message |
✓ |
✗ |
✗ |
Applies to encrypted messages. |
Antispam scan result |
✓ |
✗ |
✗ |
Applies to messages flagged or not flagged as Ham or Spam. |
Antivirus scan result |
✓ |
✓ |
✓ |
Applies to messages flagged as malicious or not malicious. |
Anti-Phishing scan result |
✓ |
✓ |
✓ |
Applies to messages which were evaluated as phishing. |
Received time |
✗ |
✓ |
✓ |
Applies to messages received before or after a specific date, or during a specific date range. |
Contains password protected archive |
✓ |
✗ |
✗ |
Applies to messages with archive attachments that are protected by a password. |
Contains damaged archive |
✓ |
✗ |
✗ |
Applies to messages with archive attachments that are damaged (most likely impossible to open). |
Attachment is password protected archive |
✗ |
✓ |
✓ |
Applies to messages with archive attachments that are protected by a password. |
Attachment is damaged archive |
✗ |
✓ |
✓ |
Applies to messages with archive attachments that are damaged (most likely impossible to open). |
DKIM result |
✓ |
✗ |
✗ |
Applies to messages that passed or failed verification by DKIM, alternatively if not available. |
SPF result |
✓ |
✗ |
✗ |
Applies to messages for which SPF evaluation result is: Pass - the IP address is authorized to send from the domain (SPF qualifier "+") Fail - SPF record does not contain the sending server or IP address (SPF qualifier "-") Soft fail - the IP address may or may not be authorized to send from the domain (SPF qualifier "~") Neutral - means the domain owner stated in the SPF record that they do not want to assert that the IP address is authorized to send from the domain (SPF qualifier "?") Not available - SPF result of None means that no records were published by the domain or that no checkable sender domain could be determined from the given identity You can read RFC 4408 If you use SPF result, whitelists within Filtering and verification are not taken into account for rules. |
DMARC result |
✓ |
✗ |
✗ |
Applies to messages that passed or failed verification by SPF, DKIM or both, alternatively if not available. |
Has reverse DNS record |
✓ |
✗ |
✗ |
Applies to messages with sender's domain that has reverse DNS record. |