Rule condition
The Rules condition wizard allows you to add conditions for a rule. Select the condition Type and an Operation from the drop-down menu. The operations list changes depending on the rule type you chose. Then select a Parameter. Parameter fields will change depending on the rule type and operation.
For example, choose File size > is greater than, and under Parameter, specify 10 MB. Using these settings, any file larger than 10 MB will be processed using the rule actions you specified. For this reason, you should specify the action taken when a given rule is triggered if you have not already done so when setting that rule's parameters.
If you want to import your custom list from a file instead of adding entries manually, right-click in the middle of the window and select Import from the context menu. Then, you can browse for the file (.xml or .txt, and containing entries delimited by new lines) you want to add to the list. Likewise, select Export from the context menu if you need to export your existing list to a file.
Alternatively, you can specify Regular expression by selecting Operation: matches regular expression or does not match regular expression.
|
ESET Mail Security uses std::regex. Refer to ECMAScript syntax for constructing regular expressions. Regular expression syntax is not case-sensitive, including search results. |
|
You can define multiple conditions. If you do so, all conditions must be met for the rule to apply. All conditions are connected using the logical operator AND. Even if most conditions are met, and only one is not, the condition evaluation result is considered not met, and the rule's action cannot be executed. |
The following condition types are available for Mail transport protection, Mailbox database protection and On-demand mailbox database scan (some of the options might not display depending on your previously selected conditions):
Condition name |
Description |
|||
|---|---|---|---|---|
Subject |
Applies to messages that contain or do not contain a specific string (or a regular expression) in the subject. |
|||
Sender |
Applies to messages sent by a specific sender. |
|||
Envelope sender (SMTP sender) |
MAIL FROM envelope attribute used during SMTP connection, also used for SPF verification. |
|||
Sender's IP address |
Applies to messages sent from a specific IP address. |
|||
Envelop sender's domain / Sender's domain |
Applies to messages from a sender with a specific domain in their email addresses. |
|||
SMTP sender's domain |
Applies to messages from a sender with a specific domain in their email addresses. |
|||
From header - address |
"From:" value contained in message headers. This is the address visible to the recipient, but no checks are done to ensure that the sending system is authorized to send on behalf of that address. It is often used for spoofing the sender. |
|||
From header - display name |
"From:" value contained in message headers. This display name is visible to the recipient, but no checks are done to ensure that the sending system is authorized to send on behalf of that address. It is often used for spoofing the sender. |
|||
Recipient |
Applies to messages sent to a specific recipient. |
|||
Recipient's organizational units |
Applies to messages sent to a recipient of a specific organizational unit. |
|||
Recipient validation result |
Applies to messages sent to a recipient validated in Active Directory. |
|||
Attachment name |
Applies to messages containing attachments with a specific name. This includes files contained within an archive. Evaluate for top-level attachment only - When enabled, files inside an archive will not be evaluated. Use full path for objects inside attachment - When enabled, the object's full path will be evaluated, not just the filename. |
|||
Attachment size |
Applies to messages with an attachment that does not meet a specified size, is within a specified size range, or exceeds a specified size. |
|||
Attachment type
|
Applies to messages with a specific file type attached. File types are categorized into groups for easy selection. You can select multiple file types or whole categories. ESET Mail Security detects the actual file type regardless of the file extension. The same applies to an archive's content. Evaluate for top-level attachment only - When enabled, files inside an archive will not be evaluated.
|
|||
Message size |
Applies to messages with attachments that do not meet a specified size, are within a specified size range or exceed a specified size. |
|||
Mailbox |
Applies to messages located in a specific mailbox. |
|||
Message headers |
Applies to messages with specific data present in the message header. |
|||
Message body |
Message body is searched for a specified phrase. You can use the Strip HTML tags feature to remove HTML tags, attributes and values, and preserve text only. The body text will then be searched. |
|||
Internal message |
Applies depending on whether a message is internal or not internal. |
|||
Outgoing message |
Applies to outgoing messages. |
|||
Signed message |
Applies to signed messages. |
|||
Encrypted message |
Applies to encrypted messages. |
|||
Antispam scan result |
Applies to messages flagged or not flagged as ham or spam. |
|||
Antivirus scan result |
Applies to messages flagged as malicious or not malicious. |
|||
Anti-Phishing scan result |
Applies to messages that were evaluated as phishing. |
|||
Received time |
Applies to messages received before or after a specific date or during a specific date range. |
|||
Contains password protected archive |
Applies to messages with archive attachments that are protected by a password. |
|||
Contains damaged archive |
Applies to messages with damaged archive attachments (most likely unable to open). |
|||
Attachment is password protected archive |
Applies to attachments that are password-protected. |
|||
Attachment is damaged archive |
Applies to attachments that are damaged (most likely unable to open). |
|||
Folder Name |
Applies to messages located in a specific folder. If the folder does not exist, it will be created. This does not apply to Public folders. |
|||
DKIM result |
Applies to messages that passed or failed DKIM verification, alternatively if unavailable. |
|||
SPF result |
Applies to messages with the SPF (Sender Policy Framework) evaluation result: Pass - the IP address is authorized to send from the domain (SPF qualifier "+"). Fail - SPF record does not contain the sending server or IP address (SPF qualifier "-"). Soft fail - the IP address may or may not be authorized to send from the domain (SPF qualifier "~"). Neutral - means the domain owner stated in the SPF record that they do not want to assert that the IP address is authorized to send from the domain (SPF qualifier "?"). Not available - SPF result of None means that the domain published no records or that no checkable sender domain could be determined from the given identity. You can read RFC 4408 for more details about SPF. If you use the SPF result, whitelists within Filtering and verification are not considered for rules. |
|||
DMARC result |
Applies to messages that passed or failed verification by SPF, DKIM or both, alternatively if unavailable. |
|||
Has reverse DNS record |
Applies to messages with the sender's domain that have reverse DNS record. |
|||
NDR result |
Applies to messages that failed verification by NDR. |
|||
Envelope sender and From header comparison result |
Compares the domain(s) contained in the "From:" email header field and Envelope sender against the domain lists. |
Condition type has the following Operations:
•String: is, is not, contains, does not contain, matches, does not match, is in, is not in, in on the list, is not on the list, matches regular expression, does not match regular expression
•Number: is less than, is greater than, is between
•Text: contains, does not contain, matches, does not match
•Date-time: is less than, is greater than, is between
•Enum: is, is not, is in, is not in
|
If Attachment name or Attachment type is Microsoft Office file it is treated by ESET Mail Security as an archive. This means that its content is extracted and each file contained in the Office file archive (for example .docx, .xlsx, .xltx, .pptx, .ppsx, .potx) is scanned separately. |
If you disable Antivirus protection in the Setup menu or Advanced setting (F5) > Server > Antivirus and Antispyware for Mail transport and Mailbox database protection layer, it will affect these rule conditions:
•Attachment name
•Attachment size
•Attachment type
•Antivirus scan result
•Attachment is password-protected
•Attachment is damaged archive
•Contains damaged archive
•Contains password-protected archive