Allows you to manually define email filtering conditions and actions to take with filtered emails. There are three separate sets of rules, one for each:
•Mail transport protection •Mailbox database protection •On-demand mailbox database scan
IMPORTANT
Incorrectly defined rules for On-demand mailbox database scan can cause irreversible changes to Mailbox databases. Always make sure you have the most recent backup of your Mailbox databases before running On-demand mailbox database scan with rules in place for the first time. Also, we highly recommend you to verify the rules are running according to expectations. For verification, define rules with Log to events action only, because any other actions can make changes to your Mailbox databases. Once verified, you can add destructive rule actions such as Delete attachment.
|
Click Edit to open the Rules list, where you can Add new or modify existing rules. You can also define conditions and actions that differ for rules specific to Mail transport protection, Mailbox database protection and On-demand mailbox database scan. This is because each of these protection types use a little different approach when processing messages, especially Mail transport protection.
Rules are classified into three levels and are evaluated in this order:
•Filtering rules (1) - rule evaluated before antispam and antivirus scan •Attachment processing rules (2) - rule evaluated during antivirus scan •Result processing rules (3) - rule evaluated after antivirus scan
EXAMPLE
Objective: Quarantine messages that contain malware or password protected, damaged or encrypted attachment
Create the following rule for Mail transport protection:
Condition
Type: Antivirus scan result
Operation: is not
Parameter: Clean
Action
Type: Quarantine message
|
EXAMPLE
Objective: Move messages that failed SPF check to a Junk folder
Create the following rule for Mail transport protection:
Condition
Type: SPF result
Operation: is
Parameter: Failed
Action
Type: Set SCL value
Value: 5 (Set the value according to SCLJunkThreshold parameter of Get-OrganizationConfig cmdlet of your Exchange server. For more details, see SCL threshold actions article)
|
EXAMPLE
Objective: Drop messages from specific senders
Create the following rule for Mail transport protection:
Condition
Type: Sender
Operation: is / is one of
Parameter: spammer1@domain.com, spammer2@domain.com
Action
Type: Drop message silently
|
EXAMPLE
Objective: Customize predefined rule
Details: Allow archive attachments in messages from specified IP addresses (in case of internal systems, for example) while using Forbidden archive file attachments rule
Open Mail transport protection rule set, select Forbidden archive file attachments and click Edit.
Add new Condition:
Type: Sender's IP address
Operation: is not / is not any
Parameter: 1.1.1.2, 1.1.1.50-1.1.1.99
|
NOTE
If a new rule is added or an existing rule has been modified, message rescan will automatically start using the new/modified rules.
|
If you disable Antivirus protection in Setup menu or Advanced setting (F5) > Server > Antivirus and Antispyware for Mail transport and Mailbox database protection layer, it will affect these rule conditions:
•Attachment name •Attachment size •Attachment type •Antivirus scan result •Attachment is password protected •Attachment is damaged archive •Contains damaged archive •Contains password protected archive Also, if you disable Antivirus protection in Setup menu or Advanced setting (F5) > Server > Antivirus and Antispyware for Mail transport layer, it will affect these rule actions:
•Quarantine attachment •Delete attachment
|