fabio75 2 Posted June 10, 2013 Share Posted June 10, 2013 (edited) Hello! Is there a tech guide where I can find some more help? I want to understand how to use antispam rules. I cannot find any help about to build my own custom rules files. ...is there a more verbose manual than this??? Is it possible to give a negative offset to those emails containing some words o phrases? Ex: I want that all emails containing "this phrase is good" to be more easily considered as HAM. Is it possible? Thank you, Fabio Edited June 10, 2013 by fabio75 Link to comment Share on other sites More sharing options...
drewd 6 Posted June 13, 2013 Share Posted June 13, 2013 I see that you are asking about using text strings to identify non legitimate email as SPAM. EMSX allows you to setup User-defined rules from within the EMSX GUI, that can filter SPAM and malware based on many different variables: You can specify conditions, such as text strings, that when detected will result in certain actions being performed, such as the email being placed into the system quarantine, or certain types of attachments being deleted. Here is some additional information regarding creating, and using User-defined rules to filter SPAM and malware, from the documentation that you referenced previously: hxxp://download.eset.com/manuals/eset_emsx_45_userguide_enu.pdf 1.4.3 Application of user-defined rules Protection based on user-defined rules is available for scanning with both the VSAPI and the transport agent. Youcan use the ESET Mail Security user interface to create individual rules that may also be combined. If one rule usesmultiple conditions, the conditions will be linked using the logical operator AND. Consequently, the rule will beexecuted only if all its conditions are fullfilled. If multiple rules are created, the logical operator OR will be applied,meaning the program will run the first rule for which the conditions are met.In the scanning sequence, the first technique used is greylisting - if it is enabled. Consequent procedures will alwaysexecute the following techniques: protection based on user-defined rules, followed by an antivirus scan and, lastly,an antispam scan 3.1.2 Rules The Rules menu item allows administrators to manually define email filtering conditions and actions to take withfiltered emails. The rules are applied according to a set of combined conditions. Multiple conditions are combinedwith the logical operator AND, applying the rule only if all the conditions are met. The Number column (next toeach rule name) displays the number of times the rule was successfully applied.Add... - adds a new ruleEdit... - modifies an existing ruleRemove - removes selected ruleClear - clears the rule counter (the Hits column)Move up - moves selected rule up in the listMove down - moves selected rule down in the listUnchecking a check box (to the left of each rule name) deactivates current rule. This allows for the rule to bereactivated again if needed. NOTE: You can also use system variables (e.g., %PATHEXT%) when configuring Rules. NOTE: If a new rule has been added or an existing rule has been modified, a message rescan will automatically startusing the new/modified rules. 3.1.2.1 Adding new rules This wizard guides you through adding user-specified rules with combined conditions.NOTE: Not all of the conditions are applicable when the message is scanned by the transport agent.By target mailbox applies to the name of a mailbox (VSAPI)By message recipient applies to a message sent to a specified recipient (VSAPI + TA)By message sender applies to a message sent by a specified sender (VSAPI + TA)By message subject applies to a message with a specified subject line (VSAPI + TA)By message body applies to a message with specific text in the message body (VSAPI)By attachment name applies to a message with a specific attachment name (VSAPI + TA)By attachment size applies to a message with an attachment exceeding a defined size (VSAPI in Exchange 2000and 2003, VSAPI + TA in Exchange 2007 and 2010)By frequency of occurrence applies to objects (email body or attachment) where the number of occurrenceswithin the specified time interval exceeds the specified number (TA with VSAPI disabled). This is particularlyuseful if you are constantly spammed with emails with the same email body or the same attachmentBy attachment type applies to a message with an attachment of specified file type (actual file type is detectedby its contents, regardless of file extension) (VSAPI)When specifying the conditions above (except the By attachment size condition), it is sufficient to fill in only partof a phrase as long as the Match whole words option is not selected. Values are not case-sensitive, unless theMatch case option is selected. If you are using values other than alphanumerical characters, use parentheses andquotes. You can also create conditions using the logical operators AND, OR and NOT. NOTE: The list of available rules depends on installed version of Microsoft Exchange Server. NOTE: Microsoft Exchange Server 2000 (VSAPI 2.0) only evaluates displayed sender/recipient name and not theemail address. Email addresses are evaluated starting with Microsoft Exchange Server 2003 (VSAPI 2.5) and higher. Examples of entering conditions:By target mailbox: smithBy email sender: smith@mail.comBy email recipient: “J.Smith” or “smith@mail.com”By email subject: “ ”By attachment name: “.com” OR “.exe”By email body: (“free” OR “lottery”) AND (“win” OR “buy”)3.1.2.2 Actions taken when applying rulesThis section allows you to select actions to take with messages and/or attachments matching conditions defined inrules. You can take no action, mark the message as if it contained a threat/spam or delete the whole message.When a message or its attachment matches the rule conditions, it is not scanned by the antivirus or antispammodules by default, unless scanning is enabled explicitly by selecting the respective check boxes at the bottom (theaction taken then depends on the antivirus/antispam settings).No action – no action will be taken with the messageTake action for uncleaned threat - the message will be marked as if it contained an uncleaned threat(regardless of whether it contained the threat or not)Take action for unsolicited email - the message will be marked as if it were spam (regardless of whether it isspam or not). This option will only work if antispam protection is enabled and the action is being performedon transport agent level. Otherwise this action will not be performedDelete message – removes the entire message with content that meets the conditions, however this action onlyworks on VSAPI 2.5 and newer (VSAPI 2.0 and older cannot perform this action)Quarantine file - attached file(s) that meet the rules criteria will be put into file quarantine of ESET Mail Security,do not confuse this with the mail quarantine (for more information about mail quarantine see Messagequarantine )Submit file for analysis - sends suspicious attachments to the ESET lab for analysisSend event notification - sends a notification to the administrator (based on settings in Tools > Alerts andnotifications)Log - writes information about the applied rule to the program logEvaluate other rules - allows the evaluation of other rules, enabling the user to define multiple sets of conditionsand multiple actions to take, given the conditionsScan by antivirus and antispyware protection - scans the message and its attachments for threatsScan by antispam protection - scans the message for spam NOTE: This option is available only in Microsoft Exchange Server 2000 and later with the transport agent turned The last step in the new rule creation wizard is to name each created rule. You can also add a Rule comment. Thisinformation will be stored in the Microsoft Exchange Server log. Link to comment Share on other sites More sharing options...
kmauldin 0 Posted March 6, 2015 Share Posted March 6, 2015 Do you realize you just copied and pasted from the exact manual he said DIDN'T have enough information? You didn't even answer his question. I, too, was needing more information on rules than what the manual provided. Particularly how to use the "Evaluate other rules" action. I'm never given the option to link it to another rule when I check that box. What gives? All the manual says about it is "allows the evaluation of other rules, enabling the user to define multiple sets of conditions and multiple actions to take, given the conditions"........ Okay cool. How the heck to I link the rules? Frustrating. Link to comment Share on other sites More sharing options...
Recommended Posts