This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Does anyone know if there is a way to block emails that contain certain words or phrases in the subject in Email Gateway

Here is a small example of what was delivered to my inbox in 1 day.   All clearly Spam, but not quarantined.   



This thread was automatically locked due to age.
Parents
  • Hi Julia,

    I'm assuming your referring to the SEA appliance.. 

    first thing, please have a look at my kb for spam settings.. can be found here: https://community.sophos.com/kb/en-us/120802

    in particular ensure your medium and high spam rules don't have any inclusions/exceptions and delay queue.

    if all of your settings are correct I would ensure that the appliance has proper dns configured and that it is free to get out to the internet as well as has access to do dns queries (port 53 access out)

     

    if all of this is addressed I would say, go to the recipients terminal, create a new email addressed to is-spam@labs.sophos.com drag / drop all of the spam as .eml attachments and send it off  (ensure you bypass outbound spam checking if enabled)

     

    then open a support case so the engineer can review / escalate the samples as necessary. 

     

    as for your original question, there are several ways to scan subjects.. (however I do not recommend it) as if you get into this way of thinking in regards to spam, you will spend your entire life trying chase down spam.. and or creating rules that may trigger on legitimate email.

     

    I would use a data control rule..

    rule type: messages matching specific words or phrases

    check off enable advanced

    next

    rule config:

    click regular expression

    add:  .*

    next

    message attributes

    header

    name: Subject

    (with a capital S)

    check off matches regular expression

    value: \b text to match \b

    (you could also use sub-string match if your nor up on regex however be very very very careful with it.. the format is via email globs .. so a * means any number of words)

    apply

    yes and next to everything, name it save it.. 

    i do not recommend using "delete" as an action, there is NO recycle bin.. once its deleted its gone forever. 

     

    again this is not recommended..  the best solution is to ensure that the appliance is update, spam rules are correct and the appliance is not been web/ips filtered as it often does dns look ups on mail and needs the freedom to get out.

     

    If your using another product such as an xg/utm or similar.. scanning is more limited in this respect.

  • Thank you for your reply.   Not long after i had posted the question, I saw that Sophos had just released the Keywords section in the policy settings in Email Gateway, which should do exactly what I was asking about.   Add a word or phase to be blocked and apply it.   However, it does not work!    I added words and phrases to be blocked, and a couple of hours later i received an email in my inbox (not even the junk box) containing the exact words in the subject.  

    Maybe it takes longer than a few hours to become active?

Reply
  • Thank you for your reply.   Not long after i had posted the question, I saw that Sophos had just released the Keywords section in the policy settings in Email Gateway, which should do exactly what I was asking about.   Add a word or phase to be blocked and apply it.   However, it does not work!    I added words and phrases to be blocked, and a couple of hours later i received an email in my inbox (not even the junk box) containing the exact words in the subject.  

    Maybe it takes longer than a few hours to become active?

Children
  • Hi Julia,

    Policy changes are applied when the milter process restarts.. this process can take up to 7-10 mins but is usually completed within a couple of mins.  there are essentially two areas you can do keyword rules.. in data control.. and additional policy .. if your doing a simple rule, perhaps try an additional policy rule instead.

     

    just note that wild cards are based on "glob" matches not regular expressions.. so if you use * for example.. it will match anything.. IE *house  would match anything that contains house.. ie: lighthouse, bighouse, houseboat .. the other option is to match as much as the sentence as possible .. the big house by the sea  .. or something would reduce false positives.

     

    again tho, if you are trying to make keyword rules to match against spam.. chances are there is something wrong with policy, dns or the appliance is been web filtered..  In general I would only ever use a keyword to to search for a header.. ie company-confidential for encryption .. or other x-headers. 

     

    If you need help I would open a support case as it will be easier to help you out.  if needed pm your support case, appliance serial number and the exact rule your trying to make.