EMSX - Antispam Engine - custom rules

[fabio75 2]

Hello!

 

Is there a tech guide where I can find some more help? I want to understand how to use antispam rules.

 

I cannot find any help about to build my own custom rules files.

 

...is there a more verbose manual than this??? 

 

Is it possible to give a negative offset to those emails containing some words o phrases?

 

Ex: I want that all emails containing "this phrase is good" to be more easily considered as HAM. Is it possible?

 

Thank you,

 

Fabio

Edited June 10, 2013 by fabio75

[drewd 6]

I see that you are asking about using text strings to identify non legitimate email as SPAM.

 

EMSX allows you to setup User-defined rules from within the EMSX GUI, that can filter SPAM and malware based on many different variables:

 

You can specify conditions, such as text strings, that when detected will result in certain actions being performed, such as the email being placed into the system quarantine, or certain types of attachments being deleted.

 

Here is some additional information regarding creating, and using User-defined rules to filter SPAM and malware, from the documentation that you referenced previously:

 

hxxp://download.eset.com/manuals/eset_emsx_45_userguide_enu.pdf

 

1.4.3     Application of user-defined rules

Protection based on user-defined rules is available for scanning with both the VSAPI and the transport agent. You
can use the ESET Mail Security user interface to create individual rules that may also be combined. If one rule uses
multiple conditions, the conditions will be linked using the logical operator AND. Consequently, the rule will be
executed only if all its conditions are fullfilled. If multiple rules are created, the logical operator OR will be applied,
meaning the program will run the first rule for which the conditions are met.
In the scanning sequence, the first technique used is greylisting - if it is enabled. Consequent procedures will always
execute the following techniques: protection based on user-defined rules, followed by an antivirus scan and, lastly,
an antispam scan

 

3.1.2     Rules

The Rules menu item allows administrators to manually define email filtering conditions and actions to take with
filtered emails. The rules are applied according to a set of combined conditions. Multiple conditions are combined
with the logical operator AND, applying the rule only if all the conditions are met. The Number column (next to
each rule name) displays the number of times the rule was successfully applied.

Add... - adds a new rule
Edit... - modifies an existing rule
Remove - removes selected rule
Clear - clears the rule counter (the Hits column)
Move up - moves selected rule up in the list
Move down - moves selected rule down in the list
Unchecking a check box (to the left of each rule name) deactivates current rule. This allows for the rule to be
reactivated again if needed.
 

NOTE: You can also use system variables (e.g., %PATHEXT%) when configuring Rules.
 

NOTE: If a new rule has been added or an existing rule has been modified, a message rescan will automatically start
using the new/modified rules.
 

3.1.2.1     Adding new rules
 

This wizard guides you through adding user-specified rules with combined conditions.
NOTE: Not all of the conditions are applicable when the message is scanned by the transport agent.
By target mailbox applies to the name of a mailbox (VSAPI)
By message recipient applies to a message sent to a specified recipient (VSAPI + TA)
By message sender applies to a message sent by a specified sender (VSAPI + TA)
By message subject applies to a message with a specified subject line (VSAPI + TA)
By message body applies to a message with specific text in the message body (VSAPI)
By attachment name applies to a message with a specific attachment name (VSAPI + TA)
By attachment size applies to a message with an attachment exceeding a defined size (VSAPI in Exchange 2000
and 2003, VSAPI + TA in Exchange 2007 and 2010)
By frequency of occurrence applies to objects (email body or attachment) where the number of occurrences
within the specified time interval exceeds the specified number (TA with VSAPI disabled). This is particularly
useful if you are constantly spammed with emails with the same email body or the same attachment
By attachment type applies to a message with an attachment of specified file type (actual file type is detected
by its contents, regardless of file extension) (VSAPI)
When specifying the conditions above (except the By attachment size condition), it is sufficient to fill in only part
of a phrase as long as the Match whole words option is not selected. Values are not case-sensitive, unless the
Match case option is selected. If you are using values other than alphanumerical characters, use parentheses and
quotes. You can also create conditions using the logical operators AND, OR and NOT.
 

NOTE: The list of available rules depends on installed version of Microsoft Exchange Server.
 

NOTE: Microsoft Exchange Server 2000 (VSAPI 2.0) only evaluates displayed sender/recipient name and not the
email address. Email addresses are evaluated starting with Microsoft Exchange Server 2003 (VSAPI 2.5) and higher.
 

Examples of entering conditions:
By target mailbox: smith
By email sender:  smith@mail.com
By email recipient: “J.Smith” or “smith@mail.com”
By email subject: “ ”
By attachment name: “.com” OR “.exe”
By email body: (“free” OR “lottery”) AND (“win” OR “buy”)
3.1.2.2     Actions taken when applying rules
This section allows you to select actions to take with messages and/or attachments matching conditions defined in
rules. You can take no action, mark the message as if it contained a threat/spam or delete the whole message.
When a message or its attachment matches the rule conditions, it is not scanned by the antivirus or antispam
modules by default, unless scanning is enabled explicitly by selecting the respective check boxes at the bottom (the
action taken then depends on the antivirus/antispam settings).
No action – no action will be taken with the message
Take action for uncleaned threat - the message will be marked as if it contained an uncleaned threat
(regardless of whether it contained the threat or not)
Take action for unsolicited email - the message will be marked as if it were spam (regardless of whether it is
spam or not). This option will only work if antispam protection  is enabled and the action is being performed
on transport agent level. Otherwise this action will not be performed
Delete message – removes the entire message with content that meets the conditions, however this action only
works on VSAPI 2.5 and newer (VSAPI 2.0 and older cannot perform this action)
Quarantine file - attached file(s) that meet the rules criteria will be put into file quarantine of ESET Mail Security,
do not confuse this with the mail quarantine (for more information about mail quarantine see  Message
quarantine )
Submit file for analysis - sends suspicious attachments to the ESET lab for analysis
Send event notification - sends a notification to the administrator (based on settings in Tools > Alerts and
notifications)
Log - writes information about the applied rule to the program log
Evaluate other rules - allows the evaluation of other rules, enabling the user to define multiple sets of conditions
and multiple actions to take, given the conditions
Scan by antivirus and antispyware protection - scans the message and its attachments for threats
Scan by antispam protection - scans the message for spam
 

NOTE: This option is available only in Microsoft Exchange Server 2000 and later with the transport agent turned
 

The last step in the new rule creation wizard is to name each created rule. You can also add a Rule comment. This
information will be stored in the Microsoft Exchange Server log.

 

 

 

 

[kmauldin 0]

Do you realize you just copied and pasted from the exact manual he said DIDN'T have enough information? You didn't even answer his question. I, too, was needing more information on rules than what the manual provided. Particularly how to use the "Evaluate other rules" action. I'm never given the option to link it to another rule when I check that box. What gives? All the manual says about it is "allows the evaluation of other rules, enabling the user to define multiple sets of conditions and multiple actions to take, given the conditions"........ Okay cool. How the heck to I link the rules? Frustrating.