Chapter 9 - Using content filtering

  • Article

 

Applies to: Microsoft Antigen

Content filtering provides another tool to help manage the flow of messages entering and exiting your enterprise mail stream. Content filtering enables you to filter messages using a variety of filtering tools. These include:

  • Sender-domains filtering.
  • Subject line filtering.
  • Filter set templates, which simplify the creation and management of file and content filters on all scan jobs.

You can enable inbound or outbound content filtering for the Internet Scan Job using these registry keys:

  • DisableOutboundContentFiltering
  • DisableInboundContentFiltering

Both keys are set to 0 (disabled) by default. To enable each key, set its value to 1. After changing these settings, the SMTP and Antigen services must be recycled for the changes to take effect. (For more information about Antigen registry settings, see Appendix B - Setting registry keys.)

Configuring sender-domains filtering

Sender-domains filtering lets you filter messages from particular senders or domains. Wildcard characters can be used to enable filters such as *@domain.com to filter all mail from a certain domain.

Note

Sender-domains filtering applies only to the From field in a message. It cannot be used for the To field.

To configure sender-domains filtering

  1. Click FILTERING in the Shuttle Navigator.

  2. Select the Content icon. The Content Filtering work pane appears to the right.

  3. In the upper work pane, select the scan job for which you would like to create a content filter.

  4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters pane.

  5. A text box appears. Type the sender or domain that you would like to filter. If you want to use a generic domain name filter, you must use an * (wildcard character) before the domain name. For example:

    • Generic domain: *@domain.com
    • Specific sender: someone@domain.com

  6. Press ENTER after you have typed the sender or domain. You can add as many entries as you want, but each must be entered separately.

  7. Enable the filter with the Filter field.

  8. Indicate the Action to take if there is a filter match.

  9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator is sent a notification that a message was filtered. In addition, you must also configure the notifications. (For details, see Chapter 14 - Using e-mail notifications.)

  10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, allowing you to recover them. However, worm-purged messages are not recoverable.

  11. Click Save.

Note

The SMTP Scan Job uses the display name of the sender to match against sender-domains filters. If there is no display name in the header, the SMTP Scan Job will fall back to use the e-mail address to match against the filter.
You can also create a filter list that contains multiple sender-domains. For more information, see Creating content filter lists.
You can create a sender-domains filter that filters mail from all users in a domain except for specific users in that domain. For more information, see Filtering mail from all users in a domain except for specific users.

Configuring subject line filtering

Subject line filtering lets you filter messages based on the content of the subject line of the message. Wildcard characters can be used.

To configure subject line filtering

  1. Click FILTERING in the Shuttle Navigator.

  2. Select the Content icon. The Content Filtering work pane appears to the right.

  3. In the upper work pane, select the scan job for which you would like to create a content filter.

  4. Select Subject Lines in the Content Fields pane in the lower-left corner, and then click the Add button in the Content Filters pane.

  5. A text box appears so that you can type the content you would like to filter.

  6. Press ENTER after you have typed the content. You can add as many entries as you want, but each must be entered separately.

  7. Enable the filter with the Filter field.

  8. Indicate the Action to take if there is a filter match.

  9. Indicate whether to Send Notifications if there is a filter match. If Send Notifications is selected, the Content Administrators set in the Notification Setup work pane located under REPORT in the Shuttle Navigator is sent a notification that a message was filtered. In addition, you must also configure the notifications. (For details, see Chapter 14 - Using e-mail notifications.)

  10. Indicate whether to Quarantine the item if there is a filter match. Enabling quarantine causes deleted attachments and purged messages to be stored, allowing you to recover them. However, worm-purged messages are not recoverable.

  11. Click Save.

Note

You can also create a filter list that contains multiple subject lines. For more information, see Creating content filter lists.

If you are entering a partial subject line as a filter, it is recommended that you use asterisk wildcard characters (*) at the beginning and the end of the phrase to ensure proper detection. For example:

  • The filter "get rich quick" filters messages that contain only the target phrase in the subject line.
  • The filter "* get rich quick" filters messages that contain the target phrase and any phrase that ends with the target phrase in the subject line.
  • The filter "* get rich quick *" filters messages that contain the target phrase anywhere in the subject line.

You can use the following syntax to refine your filters.

Syntax Description

*

Used to match any number of characters in a file name. You can use multiple asterisks. The following are some examples of its usage:

  • Single—Any of these single wildcard character patterns detects veryevil: veryevil*, very*, *il
  • Multiple—Any of these multiple wildcard character patterns detects veryevil: V*r*v*l, *very*, *evil*

?

Matches any single character, because many malicious users insert extra characters between letters to spoof filters.

For example, you can filter C-O-N-T-E-S-T with the filter: C?O?N?T?E?S?T

[set]

A list of characters and ranges, enclosed in square brackets [abcdef]. Any single character in the specified set is matched.

For example, the set is useful for creating a single rule to match when the number zero (0) is used instead of the letter o. Ozone and oz0ne can be filtered using oz[o0]ne

[^set]

Used to exclude characters that you know are not used.

range

Used to indicate several possible values in a set. It is specified by a starting character, a hyphen (-), and an ending character.

For example, klez[ad-gp] matches kleza, klezd, kleze, klezf, klezg, and klezp but not klezb or klezr.

\char

Indicates that special characters are used literally (characters are: * ? [ ] - ^ < >). The backslash is called an escape character, and indicates that a reserved control character should be taken literally, as a text character.

For example, if you enter *hello*, you normally expect to match hello anywhere in the file name. If you enter *\*hello\**, you match *hello*. If you enter *\*hello\?\**, you match *hello?*.

Note

You must use a backslash before each special character.

Action

You also need to select the action that Antigen for SMTP Gateways should take upon detecting a match to your filter criteria.

Note

You must set the action for each file filter you configure. The action setting is not global.

Action Description

Skip: Detect Only

Records the number of messages that meets the filter criteria, but allows messages to route normally. If, however, Delete Corrupted Compressed, Delete Corrupted Uuencode Files, or Delete Encrypted Compressed Files was selected in General Options, a match to any of those conditions causes the item to be deleted.

Purge: Eliminate Message

Deletes the message from your mail system. When you select this option, a warning appears informing you that if there is a filter match, the message will be purged and unrecoverable. Click Yes to continue.

Identify: Tag message

The subject line or message header of the detected message can be tagged with a customizable word or phrase. This tag can be modified for each scan job by clicking Tag Text on the Scan Job Settings work pane and modifying the text. The same tag, however, will be used for all filters associated with the particular scan job.

Creating content filter lists

You can create a content list that contains multiple content filters (sender-domains or subject lines). After you have created the list, the steps for configuring the filter list are the same as in the preceding procedures, except that you must select the filter list rather than a filter name.

To create a content filter list

  1. Click the Filter Lists icon in the FILTERING section of the Shuttle Navigator.

  2. In the List Types section, select Subject Lines or Sender-Domains.

  3. In the List Names section, click Add.

  4. Type a name for the new list, and then press ENTER. The empty list appears in the List Names section.

  5. With the new list name selected, click Edit. The Edit Filter List dialog box appears. Use it to add items to the list.

  6. In the Include In Filter section, click Add.

  7. Type the data to be included in the filter list. The type of data that you add depends on the type of filter list that you selected. For Subject Lines, add text that might appear in the subject line of a message. For Sender-Domains, add specific senders or generalized domains. Press ENTER when you have finished typing. You can have as many words or phrases as you want, but each must be entered separately.

    The Exclude from Filter field is used to enter data that should never be included on the relevant list. This prevents these entries from being accidentally added when importing a list from a text file. For more information on importing files, see Importing new items into a filter list.

  8. When you are finished adding items, click OK. The information that you just entered appears, alphabetically, in the pane next to List Names.

  9. Click Save.

Note

You can change the name of a list by selecting the list in the List Names box and then pressing F2.

Importing new items into a filter list

Filter lists can be created offline in Notepad or in a similar text editor, and then imported into the appropriate filter list by using the Antigen Administrator.

To create and import entries into a filter list

  1. Create a list and then save it as a text file. Place each filter on its own line in the file.

  2. Open the Antigen Administrator and click Filter Lists on the FILTERING area of the Shuttle Navigator.

  3. Select the filter list into which you will be importing data.

  4. Click the Edit button. The Edit Filter List dialog box appears.

  5. Click the Import button. A File Explorer window will open so that you can navigate to the text file that you created in step 1.

  6. Select the file and click Open.

  7. The file will be imported into the middle pane of the Import List editor so that you can select the entries that you would like to include in your filter list. Use the <=== button to move all the items into the Include In Filter section, or use the <--- button to move single items. You can use the right-pointing arrows to move items into the Exclude From Import section.

  8. When you have moved all of the desired items, click OK.

  9. Click Save.

Exporting sender-domains filters, file filters, and subject line filters

The command line utility ExportLists facilitates the export of sender-domains filters, file filters, and subject line filters. Exported files are saved as text files that can then be imported into Antigen using the import function.

To export files from Antigen

  1. From the DOS command prompt, change directories until you are in the Antigen installation folder.

  2. Enter: ExportLists [-s ServerName][-o OutputDirectory] and then press ENTER.

    ServerName is the name of the server from which you are exporting the files, and OutputDirectory is the directory where you would like the exported files saved.

    If no ServerName is entered, the utility defaults to the current server. Note that the system that this is executed on must have the same username and password as the system from which the lists are retrieved.

    If no OutputDirectory is entered, that field defaults to the current directory.

    A file will be created for each scan job and template that contains any file, sender, or subject line entries. The format of the files is as follows:

    scanjobname-FILES.txt

    templatename Template-FILES.txt

    Where scanjobname is the actual scan job name and templatename is the actual template name.

  3. Import the text files into Antigen by using the Import function described in Importing new items into a filter list.

Filtering mail from all users in a domain except for specific users

This section describes how to configure Antigen to filter mail from all users in a domain except for specific users in that domain.

To filter mail from all users in a domain except for specific users

  1. Click FILTERING in the Shuttle Navigator.

  2. Select the Content icon. The Content Filtering work pane appears to the right.

  3. In the upper work pane, select the scan job for which you would like to create a content filter.

  4. Select Sender-Domains in the Content Fields pane in the lower-left corner, and then click Add in the Content Filters pane.

  5. Type the e-mail address of a specific user whose mail you do not want filtered. For example, type <user_name@domain_name.com>, and then press ENTER.

  6. Set the Action to Skip: detect only.

    Note

    You can add multiple e-mail addresses, but each one must be entered separately. Repeat steps 5 and 6 if you want to add more e-mail addresses whose mail you do not want filtered.

  7. Under Content Filters, click Add.

  8. Type the name of the domain that you want filtered. When you type the domain name, include the asterisk (*) wildcard character. For example, type <*@domain_name.com>.

    Note

    Make sure that you add the filter for the domain name directly underneath the filter for the specific users whose mail you do not want filtered. Antigen works from the top of the list down.

  9. Set the Action to Purge: Eliminate Message.

  10. Click Save.

Using directional content filters

When using the content filter in conjunction with the SMTP Scan Job, it is possible to configure a filter so that it checks only inbound or outbound messages. This is accomplished by adding a prefix to the file name when entering it in the Filter Name pane. The options are:

  • Inbound Filtering—Adding a prefix to the file name with the <in> directive instructs Antigen for SMTP Gateways to apply the filter only to inbound messages. For example: <in>filename
  • Outbound Filtering—Adding a prefix to the file name with the <out> directive instructs Antigen for SMTP Gateways to apply the filter only to outbound messages. For example: <out>filename
  • Inbound, Outbound, and Internal Filtering—If no prefix is appended to the file name, the filter is applied to all messages, regardless of direction. For example: filename

Note

There are no spaces between the prefix and the file name.

About international character sets

Support for content filtering within Antigen for SMTP Gateways extends beyond the English character set. For example, messages with attachments or subject lines that includes Japanese characters, words, or phrases are handled in the same manner as messages with attachments or subject lines that use only English character sets.

About reporting

Messages that are filtered because of sender-domains filtering or subject line filtering are reported in the Virus Incidents log under the Virus or Filter header. Messages filtered because of sender-domains matches are noted as SENDER=<filter>, and subject line matches are reported as SUBJECT=<filter>. For activity and Virus Incidents logs, no file name is indicated. In the quarantine area, the body and each attachment is quarantined with the sender-domains or subject line filter indicated.

Using filter set templates

Filter set templates can be created for use with any Antigen for SMTP Gateways scan job. A single filter set template can be associated with any or all of the scan jobs, and you can also create multiple filter set templates for use on different servers or different scan jobs.

Creating a filter set template

Start by creating a filter set template.

To create a filter set template

  1. If the templates are not visible, display them by clicking File, selecting Templates, and then clicking View Templates.

  2. Click File, select Templates, and then click New. The New Template dialog box appears.

  3. Select Filter Set, enter a name for it, and then click OK. Your new filter set template now appears in the list in the top pane, ready to be configured.

Configuring a filter set template

After you create a filter set template, you must configure it.

To configure a filter set template

  1. Click File or Content in the FILTERING shuttle. The File Filtering or Content Filtering work pane appears.

  2. Select the name of the filter set template to be configured in the upper pane.

  3. Using the Add button, add a file filter or a content filter, and then specify the criteria for that filter. You can create multiple filters within a filter set template. A filter set template can contain a combination of file filters and content filters.

  4. Click Save.

Associating a filter set template with a scan job

After you create and configure a filter set template, associate it with a scan job. During scanning, Antigen for SMTP Gateways uses the filter set template configuration first, and then uses any other filter setting that you have specified when setting up the scan job.

To associate a filter set template with a scan job

  1. Select Templates in the SETTINGS shuttle.

  2. Select a scan job in the Job List.

  3. Select the filter set template that you want to associate with the job from the Filter Set list in the lower pane. You can associate a single filter set template with a scan job. If you are not sure about the contents of the filter set template, click View Filter Set. Click the left arrow button at the bottom of the pane when you are finished viewing the contents.

  4. Click Save. The filter set template is now associated with that scan job. During scanning, Antigen for SMTP Gateways uses the filter set template configuration first, and then any other filter settings that you specified when setting up the scan job.

Note

To cancel the association, repeat the preceding steps and select None from the Filter Set list (or select a different filter set template).

Editing a filter set template

You can modify the settings in a filter set template.

To edit a filter set template

  1. Click File or Content in the FILTERING shuttle. The File Filtering or Content Filtering work pane appears.

  2. Select the filter set template in the upper pane.

  3. Select the filter whose configuration you want to modify in the lower pane.

  4. Click Edit and then make your changes.

  5. Click Save.

Note

File filters that you created are displayed in the File Names section and can be modified. Filter set templates are also displayed; however they cannot be selected for modification in the File Names section. To modify a filter set template, you must select its template in the upper pane. When a filter set template is assigned to a scan job, the contents of the filter set template will not be visible unless View Templates is selected in the File option of the menu bar.

Deleting a filter set template

You can delete a filter set template.

To delete a filter set template

  1. If the filter set template has been associated with a scan job, you have to remove the association. Follow the directions in Associating a filter set template with a scan job, and either reset the association to None or select a different filter set template for the association.

  2. Select the filter set template in the Job List of the Template Settings work pane.

  3. Click File, click Templates, and then click Delete.

  4. Confirm the deletion request.

Renaming a filter set template

You can rename a filter set template.

To rename a filter set template

  1. Select the filter set template in the Job List of the Template Settings work pane.

  2. Click File, click Templates, and then click Rename. The Rename Template dialog box appears.

  3. Type the template's new name.

  4. Click OK.

Distributing filter set templates to remote servers

Filter set templates can be distributed to remote servers by using the deploy template feature of the Antigen Enterprise Manager. For more information about using the Antigen Enterprise Manager, see the Microsoft Antigen Enterprise Manager User Guide at the Microsoft Antigen TechNet Library.

You can also use AntigenStarter from the command prompt to manually install filter set templates on remote servers.

The syntax of AntigenStarter is:

AntigenStarter t[options] [\servername]

The t parameter instructs AntigenStarter to read the settings in the Template.adb file and apply them to the named server.

For complete instructions about AntigenStarter, see "Deploying named templates" in Chapter 7 - Using templates.

For example, to update the content filter settings on server1, you would enter:

AntigenStarter tc \server1

Chapter 8 - Using file filtering

Chapter 10 - Using mailhost filtering