Rules

Allows you to manually define email filtering conditions and actions to take with filtered emails. There are three separate sets of rules, one for each:

Mail transport protection

Mailbox database protection

On-demand mailbox database scan

note_icon_important IMPORTANT

Incorrectly defined rules for On-demand mailbox database scan can cause irreversible changes to Mailbox databases. Always make sure you have the most recent backup of your Mailbox databases before running On-demand mailbox database scan with rules in place for the first time. Also, we highly recommend you to verify the rules are running according to expectations. For verification, define rules with Log to events action only, because any other actions can make changes to your Mailbox databases. Once verified, you can add destructive rule actions such as Delete attachment.

Click Edit to open the Rules list, where you can Add new or modify existing rules. You can also define conditions and actions that differ for rules specific to Mail transport protection, Mailbox database protection and On-demand mailbox database scan. This is because each of these protection types use a little different approach when processing messages, especially Mail transport protection.

Rules are classified into three levels and are evaluated in this order:

Filtering rules (1) - rule evaluated before antispam and antivirus scan

Attachment processing rules (2) - rule evaluated during antivirus scan

Result processing rules (3) - rule evaluated after antivirus scan

note_icon_example EXAMPLE

Objective: Quarantine messages that contain malware or password protected, damaged or encrypted attachment

Create the following rule for Mail transport protection:

Condition

Type: Antivirus scan result
Operation: is not
Parameter: Clean

Action

Type: Quarantine message

note_icon_example EXAMPLE

Objective: Move messages that failed SPF check to a Junk folder

Create the following rule for Mail transport protection:

Condition

Type: SPF result
Operation: is
Parameter: Failed

Action

Type: Set SCL value
Value: 5 (Set the value according to SCLJunkThreshold parameter of Get-OrganizationConfig cmdlet of your Exchange server. For more details, see SCL threshold actions article)

note_icon_example EXAMPLE

Objective: Drop messages from specific senders

Create the following rule for Mail transport protection:

Condition

Type: Sender
Operation: is / is one of
Parameter: spammer1@domain.com, spammer2@domain.com

Action

Type: Drop message silently

note_icon_example EXAMPLE

Objective: Customize predefined rule
Details: Allow archive attachments in messages from specified IP addresses (in case of internal systems, for example) while using Forbidden archive file attachments rule

Open Mail transport protection rule set, select Forbidden archive file attachments and click Edit.

Add new Condition:

Type: Sender's IP address
Operation: is not / is not any
Parameter: 1.1.1.2, 1.1.1.50-1.1.1.99

note_icon_note NOTE

If a new rule is added or an existing rule has been modified, message rescan will automatically start using the new/modified rules.

If you disable Antivirus protection in Setup menu or Advanced setting (F5) > Server > Antivirus and Antispyware for Mail transport and Mailbox database protection layer, it will affect these rule conditions:

Attachment name

Attachment size

Attachment type

Antivirus scan result

Attachment is password protected

Attachment is damaged archive

Contains damaged archive

Contains password protected archive

Also, if you disable Antivirus protection in Setup menu or Advanced setting (F5) > Server > Antivirus and Antispyware for Mail transport layer, it will affect these rule actions:

Quarantine attachment

Delete attachment