簡介
您可能會發現某些垃圾郵件傳送者會傳送沒有附件的超大郵件,以便透過反垃圾郵件掃描。如果它們可以傳送大於ESA反垃圾郵件引擎最大掃描大小的反垃圾郵件,則會跳過該郵件的反垃圾郵件掃描。在撰寫本文時,除非另有建議,否則我們不建議將反垃圾郵件的最大掃描大小增加到2MB以上。因此,大小超過2MB的郵件在多數情況下可以輕鬆繞過反垃圾郵件。
本文將解釋一個概念,即透過使用消息過濾器對這些型別的消息採取行動。
需求
- 對郵件安全裝置(ESA)的命令列訪問。
- 有關如何編寫郵件過濾器的基本知識。
- 正規表示式(RegEx)的基礎知識。
建立郵件過濾器
在本節中,我們將建立郵件過濾器。此郵件過濾器將匹配大小超過2MB且不包含附件的所有郵件:
- 開啟文字編輯器並複製/貼上下列郵件篩選器:
large_spam_no_attachment:
if ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
附註: 您需要建立與郵件過濾器的隔離操作中使用的隔離區名稱相匹配的策略、病毒和爆發(PVO)隔離區,郵件過濾器才能正常工作。否則,您必須使用不同的動作型別。建立此PVO隔離區並將郵件過濾器應用於ESA後,強烈建議您監控PVO隔離區,並根據需要釋放或刪除隔離的郵件。
- 從這裡開始,您可能想修改此郵件過濾器以符合您的特定要求。例如,如果將反垃圾郵件最大掃描大小設定為1MB,則可以將正文大小減小到1MB。
- 您可能還希望此郵件過濾器只應用於來自特定發件人組或偵聽程式的郵件。以下為兩個其他範例,可用於您的目的:
large_spam_no_attachment:
if (recv-listener == "IncomingMail") AND ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
large_spam_no_attachment:
if (sendergroup != "RELAYLIST") AND ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
- 如果您想進行任何其他更改,我建議檢視ESA最終使用指南中的郵件過濾器部分。指南中有一些章節提供了可供使用的條件和動作清單。
將郵件過濾器應用於ESA
在本節中,我們將將在ESA中應用上一節中建立的郵件過濾器。消息過濾器只能透過命令列應用於ESA。因此,您需要對ESA進行命令列訪問。
- 透過命令列登入到ESA。
- 運行以下突出顯示的命令以將郵件過濾器應用於ESA:
ironport.example.com> filters
Choose the operation you want to perform:
- NEW - Create a new filter.
- IMPORT - Import a filter script from a file.
[]> NEW
Enter filter script. Enter '.' on its own line to end.
large_spam_no_attachment:
if ((body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
.
1 filters added.
- 在此處,您可能想要檢視郵件過濾器並確保其處於活動狀態且有效。您可以執行下列指令來執行此操作:
ironport.example.com> filters
Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.
[]> LIST
Num Active Valid Name
1 Y Y large_spam_no_attachment
Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.
[]> DETAIL
Enter the filter name, number, or range:
[]> 1
Num Active Valid Name
1 Y Y large_spam_no_attachment
large_spam_no_attachment: if (body-size > 2097152) AND NOT (attachment-size > 0)) {
quarantine("large_spam");
log-entry("*****This is a large message with no attachments*****");
}
- 運行commit命令並增加任何相關的提交註釋:
ironport.example.com> commit
Please enter some comments describing your changes:
[]> Applied large_spam_no_attachment message filter
其他資源
ESA使用者指南