Filtering

Dr.Web allows to use a filtering system to reduce the server load in case of spam attacks by taking the unnecessary messages out of the server transport system before they are checked for viruses and spam. For effective filtering, creating an optimal filtering rules set without contradictory or excess rules is essential.

Before filtering, the group which sender of the message belongs to is identified. If the sender belongs to one of the created groups, filtering rules specified in the profile corresponding to this group will be applied to the message. If the sender does not belong to any groups, settings of the Default profile will be applied to the message. Therefore, if it is necessary to apply the filtering rule to all the messages not included in groups, create this rule in the Default profile settings.

If the sender profile does not contain any limits, the message is filtered by the rules created for the recipients addresses. Every address from the recipients list relates to its own group (an AD group or a list of email addresses), and every group has its own profile assigned to it. The profile with the highest priority is applied. Therefore, if you want to set limitations on a created group of recipients, do not create filtering rules in the Default profile, but create a separate profile to assign to this group.

Внимание!

If it is necessary to create specific groups of recipient without any limits imposed by filtering, do not configure filtering rules in the Default profile, because if the message is filtered by applying the filters set for senders, it is excluded from further processing by recipients filters.

At first every message is processed by the anti-spam transport agent. At this stage the filtering rules are applied to the message as to the whole entity. Messages are filtered by the number of senders and recipient, by subject, number of attachments, etc. After the filtering, unfiltered messages are checked for spam (see Scheme 1).

After checking for spam, the message is processed by the anti-virus agent. At this stage the filtering rules are applied to the message as to the set of files, the message body is considered as a file too. Messages are filtered by by file size, name, extension, etc. After the filtering, unfiltered messages are checked for viruses (see Scheme 1).

filter_scheme_en_zoom80

Scheme 1. Filtering messages in the transport system

The traffic filtering is configured in the Filtering pane (see Figure 5). Filters are applied according to certain rules which can be added by the administrator. These rules determine the conditions for the filtering by the properties of messages and their attachments.

setfiltering_en_zoom50

Figure 5. Filtering pane

If you are working with the Filtering component for the first time, the list of rules will be empty. You can create and configure filtering rules.

To configure messages filtering

1.Select Enable filtering at the top of the Filtering pane. This makes the parameters in the section available for editing.

You can apply fileting rules to either the source or to the recipient, or to both source and recipient.
For example, you can create a rule for the message subjects that includes the word “Attention”. If you set this rule for the source only, you will not be able to send messages with the word “Attention” in the subject. If you set this rule for the recipient, you will not be able to receive messages with the word Attention in the subject. If you set this rule for both source and recipient, you will not be able to receive nor to send messages with the word “Attention” in the subject.

2.Enable one or more filters from the list by selecting the corresponding check boxes. If the list of filters is empty, you can create them.

3.Select the actions for the email messages with attachments on the Attachment settings section.

For the messages, you can select one of the following actions:

Delete—to delete message.

Add prefix to subject—to let the message through and add to its subject a prefix specified in the Subject prefix.

For attachments, the following actions are available:

Move to quarantine—to isolate the attachment in quarantine.

Delete—to delete the attachment.

In the Subject prefix field, specify the prefix added to the subject of the filtered message. The default prefix is ***FILTERED***.

In the File name suffix field, specify the suffix added to the name of the text file attached to the filtered message. The default suffix is _filtered.txt.

In the File contents field, enter the text of the file added to the filtered message. While editing the text, you can add macros from the Macros drop-down list.

To create a filtering rule

1.Click Add under the filters list. A Filter rule window will open (see Figure 6). You can enter the name of the rule and specify its conditions in this window.

filtering_rule_en_zoom70

Figure 6. Configure filtering rule

2.You can add one or more filtering conditions and specify if the messages should comply with all of them or with any of them. To add a condition, click Add. In the new window, select the condition type, specify the value and the type of compliance with the specified value. The types of conditions, compliance and possible values are listed in the table below:

Condition type

Compliance type

Value

Data type

Equals

Does not equal

File

Message

Data source

Equals

Does not equal

Contains

Does not contain

Matches

Does not match

Specified manually

Data recipient

Equals

Does not equal

Contains

Does not contain

Matches

Does not match

Specified manually

Protocol

Equals

Does not equal

SMTP

MAPI

Number of recipients

Equals

Does not equal

Greater that

Less than or equal to

Less than

Greater than or equal to

Specified manually

File name

Equals

Does not equal

Contains

Does not contain

Matches

Does not match

Specified manually

File size

Equals

Does not equal

Greater than

Less than or equal to

Less than

Greater than or equal to

Specified manually (in bytes)

Message subject

Equals

Does not equal

Contains

Does not contain

Matches

Does not match

Specified manually

Has attachment

Equals

Does not equal

True

False

warning_green

In case one of the Contains, Does not contain, Matches or Does not match compliance types is selected for any of the Data source, Data recipient, File name or Message subject conditions, you can use the wildcard characters "*" and "?" to substitute a sequence of symbols or only one symbol in the entered text value.

 

You can also use the File name condition to filter the attached files by extension. For example, exe, bat, pif, com, vbs, scr, lnk, ps1, PSD1, PSM1, DOTM, PPSM, POTM, XLTM, XLAM etc.

 

The filter is case insensitive. When specifying a value, you can use uppercase and lowercase characters.

3.To delete or edit any of the specified conditions, select it in the list and click Delete or Edit respectively.

hmtoggle_plus1 Example of the file size filtering rule

filtering_rule_example_en_zoom70

Figure 7. Example of the file size filtering rule

hmtoggle_plus1 Example of the file name filtering rule

filtering_rule_example2_en_zoom70

Figure 8. Example of the file name filtering rule

hmtoggle_plus1 Example of the subject filtering rule

filtering_rule_example3_en_zoom70

Figure 9. Example of the subject filtering rule

To edit or delete an existing filtering rule

Select the rule in the list of filters an click Edit or Delete under the list.

Click Save when you are done configuring the filtering rules.

Внимание!

In some cases, filtering may affect the mail system performance, so the following actions are recommended:

Add service mail boxes to exclusions list set by the TrustedEmails parameter. The system mail boxes accounts are stored in Active Directory and their names begin with "HealthMailbox".

Do not create filters that delete small files (less than 1000 bytes) to prevent filtering of the notifications. Otherwise, you may encounter "looping", when the notification is refiltered, over and over.