Rule examples
|
Objective: Quarantine messages that contain malware or attachment that is password protected, encrypted or damaged Create the following rule for Mail transport protection: Condition •Type: Antivirus scan result •Operation: is not •Parameter: Clean Action Type: Quarantine message |
Move messages that failed an SPF check to a Junk folder
|
Objective: Move messages that failed an SPF check to a Junk folder Create the following rule for Mail transport protection: Condition •Type: SPF result •Operation: is •Parameter: Fail Action •Type: Set SCL value •Value: 5 Set the value according to the SCLJunkThreshold parameter of Get-OrganizationConfig cmdlet of your Exchange server. For more details, see the SCL threshold actions article. |
Verify email message suspicious from sender spoofing
|
Objective: Verify email message suspicious from sender spoofing. If the message contains your own domain in the "From:" email header or Envelope sender, verify by SPF result. If SPF result is neutral, quarantine the message, log to events, and notify the administrator. Condition •Type: Envelope sender and From header comparison result •Operation: is •Parameter: Match •Type: SPF result - From header •Operation: is •Parameter: Neutral Action Type: Quarantine message, Log to events and Send event notification to administrator |
Drop messages from specific senders
|
Objective: Drop messages from specific senders Create the following rule for Mail transport protection: Condition •Type: Sender •Operation: is / is one of •Parameter: spammer1@domain.com, spammer2@domain.com Action Type: Drop message silently |
|
Objective: Quarantine message from an IP address on the Blocked IP list, notify the administrator and log the event. Details: If an email message arrives from an IP address on the Blocked IP list, <%PM%> will quarantine the message and notify you via email. You can then release the message from quarantine or delete it permanently. Otherwise, <%PM%> would drop the message without an option for action. Open Mail transport protection Condition •Type: Sender's IP address •Operation: is on the list •List: Blocked IP list Action Type: Quarantine message, Log to events and Send event notification to an administrator |
|
Objective: Customize pre-defined rule Details: Allow archive attachments in messages from specified IP addresses (internal systems, for example) while using the Forbidden archive file attachments rule Open the Mail transport protection rule set, select Forbidden archive file attachments and click Edit. Condition •Type: Sender's IP address •Operation: is not / is not any •Parameter: 1.1.1.2, 1.1.1.50-1.1.1.99 |
|
Objective: Quarantine messages that contain certain strings in the Message body Create the following rule for Mail transport protection: Condition •Type: Message body •Operation: contains / contains one of, click Add type website URL or part of a URL Action Type: Quarantine message |
Store messages for non-existent recipients
|
Objective: Store messages for non-existent recipients Details: If you want to have all messages to non-existent recipients quarantined (regardless of being marked by Antivirus or Antispam protection) Condition •Type: Recipient validation result •Operation: is •Parameter: Contains invalid recipient Action Type: Quarantine message |