Message Characteristics

'To' Address

Analyze the To headers in the message. To analyze all message recipients, including Cc and Bcc recipients, use the Recipient's address test.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Always Match

Do not analyze the message. This test is always true. The action is performed regardless of the message characteristics.

Attachment name

Analyze the Content-Type and Content-Disposition headers and, when using true file type identification, the contents of the files themselves. This test determines the filename of each message attachment. Expands the %%ATTACHMENT_NAMES%% template variable.

The Arguments button exposes the following options:

  • Use true file type identification for filename extensions: Modifies the test to use true file type detection for filename extensions. The files themselves are examined, as well as the filenames shown in the Content-Type and Content-Disposition headers. Archives are automatically expanded, so that files within other files can be tested. PureMessage will search as many levels as necessary (up to a configured maximum) to find specified file types. The maximum recursion depth is set in /opt/pmx6/etc/tft.conf.

    Tests for document types should use the application-specific file extension (such as .doc or .xls). To view a list of extensions that PureMessage supports, run:

    pmx-list-true-filetypes --verbose
  • Match-type: The match operator. For a description of options contained in the drop-down list, See the "Operators" section.
  • Match values: The file type(s) to match.
Note
Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "Message failed to scan" test within the "Attachment name" test to specify how unscannable messages are handled.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Attachment size

Analyze the size of each message attachment. This test applies to any MIME attachment, including text/plain and text/html message body parts. Expands the %%ATTACHMENT_NAMES%% template variable.

Attachment true filetype

Scan the content of message attachments, including archived attachments such as .zip and .tgz files. Archives are automatically expanded so that files within other files can be tested. PureMessage searches as many levels as necessary (up to a configured maximum) to find specified file types. The maximum recursion depth is set in opt/pmx/etc/tft.conf. Expands the %%ATTACHMENT_NAMES%% template variable.

The advantage of using this test instead of similar tests (Attachment type and Attachment name) is that the action is not performed on a message unless the file type is a true match for one that is specified in this test. For example, the Attachment type test will perform the action if there is a file type match in the message's Content-Type header, even if that does not represent the true identity of the file. So, it could be that a message appears to contain a Microsoft Word attachment, but the file extension has been falsified, and the message actually contains a .jpeg file instead.

This test can be used to detect specific file types or groups of file types. To view a list of supported file groupings, run:

pmx-list-true-filetypes

To view the specific file extensions within those groupings, run:

pmx-list-true-filetypes --verbose
Important
When using this test, you should specify the appropriate true filetype definition (as displayed in the list of groupings) for the match-type. For example, if you wanted to perform an action on all variations of Microsoft Word files ranging from Word 95 to the most recent Word document extensions, you could specify Contains as the match-type and Document/Microsoft Word as the match value. Or, to create a rule that applies the same actions to any message with an attached image, you could specify Contains as the match-type and Image/ as the match value.

The Arguments button exposes the following options:

  • Match-type: The match operator. For a description of options contained in the drop-down list, See the "Operators" section.
  • Match values: The file type(s) to match.
Note
Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "Message failed to scan" test within the "Attachment true filetype" test to specify how unscannable messages are handled.

Attachment type

Analyze the Content-Type and Content-Disposition headers and, when using true file type identification, the contents of the files themselves. This test determines the type of each message attachment. Expands the %%ATTACHMENT_NAMES%% template variable.

The Arguments button exposes the following options:

  • Use true file type identification for file type: Modifies the test to use true file type detection. The file itself is examined in addition to the declared Content-Type and Content-Disposition headers. Archives are automatically expanded, so that files within other files can be tested. PureMessage searches as many levels as necessary (up to a configured maximum) to find specified file types. The maximum recursion depth is set in /opt/pmx6/etc/tft.conf.

    Tests for attachment types should use the Mime file type. For a complete list of the Mime types that PureMessage supports, run:

    pmx-list-true-filetypes --verbose
  • Match-type: The match operator. For a description of options contained in the drop-down list, See the "Operators" section.
  • Match values: The string or string list of file types to match.
Note
Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "Message failed to scan" test within the "Attachment type" test to specify how unscannable messages are handled.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Body size

Analyze the size of the body of the message.

Content-Type

Analyze the value of Content-type headers in the message.

Envelope from

Analyze the Envelope From value in the message.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Envelope group

Analyze the Sender or Recipient(s) Group(s), depending on the message's direction, and match them against the specified group.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Envelope to

Analyze the Envelope To value in the message. Specify individual recipients or lists of recipients. However, if a message addressed to a number of recipients tests true, specified actions are performed for all recipients. If, for example, a message with an attachment is addressed to five recipients, two of which match a list specified in the "Envelope to" test, and an "Drop attachment" action is also specified, none of the five recipients receive the attachment.

Important
When using this test in conjunction with email addresses that have been associated as part of a Recipient aliases map, you must ensure that the Envelope To value specified here matches the "Map To" portion of the address map. For example, if service@example.com has been mapped to joe@example.com, then the Envelope To address is joe@example.com. For more information, see "Address Maps" in the Policy Rules section of the Administrator's Reference.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Header contains word or phrase

Check the header for a specified word or phrase.

The Arguments button exposes the following options:

  • Comparator: If selected, you can specify that the match be case sensitive. To specify case sensitivity, you must also enter i;octet. If the accompanying check box is not selected or it is empty, the match is case insensitive.
  • Match-type: The match operator. For a description of options contained in the drop-down list, See the "Operators" section.
  • Header names: The specific email headers in which to search.
  • Match values: The string or string list of file types to match.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Header exists

Check for the occurrence of a specific header.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Header size

Analyze the size of the message header.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Message contains a virus

Scan the message for any viruses.

Message contains credit card number

Scan the message for numeric sequences that are common to major credit cards. This test is based on the Luhn algorithm, a checksum formula that performs the validation. Supported credit cards are American Express, MasterCard, Visa, Visa Electron, Discover Card, Diners Club, and China Union Pay.

The creditcard_number_limit setting in /opt/pmx6/etc/creditcard.conf determines how many numeric sections PureMessage will scan in a given message. By default, PureMessage scans nine separate sections of numbers that might contain credit card numbers before proceeding to the next stage of processing.

You can configure the scan failure actions for this test in /opt/pmx6/etc/scanlimit.d/phrase.conf.

The Arguments button exposes the following options:

  • Search attachments: When selected, this test also matches inside of attachments, including attachments contained in .tgz and .zip files. For example, it can detect a phrase that appears in an .xls file, which is embedded in a .doc file that is inside a .zip file.
  • Search all attachments, even after a match: When specified along with the Search attachments option, this test scans all attachments regardless of whether a match is found. If you only specify Search attachments, the associated action is performed as soon as the first match is found, so any remaining attachments are not scanned. This is a concern if you are combining the "Message contains word or phrase" test with actions such as "Drop attachment" because only the attachment in which the first match occurred would be dropped; the remainder would be delivered, regardless of their contents.
Note
Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "Message failed to scan" test within the "Message contains credit card number" test to specify how unscannable messages are handled.

Message contains suspicious attachments

Check message attachments for filenames or file extensions specified in the Suspect Attachment Names list and check Content-Type and Content-Disposition headers for attachment types specified in the Suspect Attachment Types list.

The Arguments button exposes the following options:

  • Use true file type identification: The files themselves are examined in addition to the declared Content-Type and Content-Disposition headers. Archives are automatically expanded, so that files within other files can be tested. PureMessage will search as many levels as necessary (up to a configured maximum) to find specified file types. The maximum recursion depth is set in /opt/pmx6/etc/tft.conf.

    Most common archive formats are supported. If you are creating a new rule that tests for suspect attachments, it is recommended that you specify this argument instead of the deprecated "Inspect archives" argument described below.

  • Inspect archives: Enables this test in archive files (such as .zip files) attached to messages, even if true file type identification is not enabled. The test attempts to inspect the contents of an attached archive file for files that match the suspect-attachment-names list. Only .zip archives (plain and encrypted) are supported, and only the top-level archive is inspected. If the archive contains a nested archive, the nested archive is not inspected.
Note
Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "Message failed to scan" test within the "Message contains suspicious attachments" test to specify how unscannable messages are handled.

Message contains the specified virus

Analyze the stated virus names; automatically runs the "Message contains a virus" test.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Message contains unscannable data

Returns true if virus scanning for a message fails, and no viruses were found in the message. This test only works if it is preceded by the test "Message contains a virus." It is used to differentiate between messages that cannot be scanned for some reason (for example, encryption), and messages that contain viruses (either instance causes the test to return true).

Specify the types of unscannable content that PureMessage will allow or deny by editing the cantscan.conf file.

Message contains word or phrase

Only the "contains" and "Matches regex" Operators are recommended for this test. The "is" and "matches" tests compare against the entire text of the message, which is usually not desirable when looking for a particular phrase.

The Arguments button exposes the following options:

  • Search attachments: If selected, this test also matches inside of attachments, including attachments contained in .tgz and .zip files. For example, it can detect a phrase that appears in an .xls file, which is embedded in a .doc file that is inside a .zip file.
  • Search all attachments, even after a match: When specified along with the Search attachments option, this test scans all attachments regardless of whether a match is found. If you only specify Search attachments, the associated action is performed as soon as the first match is found, so any remaining attachments are not scanned. This is a concern if you are combining the "Message contains word or phrase" test with actions such as "Drop attachment" because only the attachment in which the first match occurred would be dropped; the remainder would be delivered, regardless of their contents.
  • Match-type: The match operator. For a description of options contained in the drop-down list, See the "Operators" section.
  • Match values: The string or string list of file types to match.

You can set the maximum attachment size and the maximum time per message scanned in /opt/pmx6/etc/phrase.conf.

Note
Because this test also returns true whenever PureMessage is unable to scan a message, you should use the "Message failed to scan" test within the "Message contains word or phrase" test to specify how unscannable messages are handled.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Message failed to scan

Returns true if a message could not be scanned. This test is only available for use within the following content tests: Attachment name, Attachment true filetype, Attachment type, Message contains credit card number, Message contains word or phrase, or Message contains suspicious attachments.

This test is mainly used to differentiate between messages that cannot be scanned for some reason (e.g., an unrecognized file type), and messages that contain undesired content, since both will cause the various content tests to return true. The kinds of unscannable content that PureMessage should allow or deny can be specified by editing the files in /opt/pmx6/etc/scanlimit.d/. To configure unscannable content options for the Message contains word or phrase and Message contains credit card number tests, use /opt/pmx6/etc/scanlimit.d/phrase.conf. For the attachment tests, use /opt/pmx6/etc/scanlimit.d/tft.conf>.

Message has offensive content

Analyze the visible text in a message; compare it to the contents of the Offensive Words List. This test decodes base64/quoted-printable encoded text and strips out HTML markup before looking for a match.

Message is from blocked IP

Checks the sender's IP address against IP blocklist data from SophosLabs. IP addresses defined in the IP Blocking Exception, Trusted Relay IPs and Internal Hosts lists are exempted.

This test is a policy-level alternative to MTA-level IP blocking. It is only effective if the IP Blocker Service is running. Using this test in the policy allows more flexibility in handling messages from blocked IP addresses, but it is not as efficient as rejecting the messages at the MTA level.

Even if you choose to block IP addresses at the policy level, it is still recommended that you enable the expanded IP-blocking functionality described in "Enabling or Disabling MTA IP Blocking" in the Local Services Tab section of the Manager Reference.

Message size

Analyze the total message size.

Never match

Do not analyze the message. This test is always false. The action is performed regardless of the message characteristics.

Number of attachments

Analyze the total number of message attachments.

Number of recipients

Analyze the total number of message recipients.

Percentage of 8-bit characters

Analyze the total number of 8 bit (non-ASCII) characters in the message body. Use to check whether a message is 7 bit-clean (pure ASCII).

Received header

Analyze the Received headers in the message.

Recipient's address

Analyze the To, Cc and Bcc headers in the message.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Relay

Analyze the hostname or IP address of the server that passed the message to the local domain.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Reply-to header

Analyze the Reply-to headers in the message.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Sender's address

Analyze the From headers in the message.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Spam probability

Calculate the message's spam probability. If a message passes through several Spam probability tests, the message is only scanned once for its spam probability; its score is saved. This makes it possible to have different actions based on different spam probability ranges without having to scan the message multiple times.

Spam rule hit

Analyze the names of spam rules violated by the message; automatically performs the Spam probability test. Refer to the Anti-Spam Rules page for a list of configured rules.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Subject

Analyze the contents of the message subject.

(Supports Multiple Test Expressions. For more information, see "Test Expressions")

Verify Message DKIM Header

Important
To ensure the effectiveness of this test, it is recommended that you insert it ahead of spam tests in the policy. It is particularly crucial that this test be run before tests that modify message headers because such modifications could corrupt or remove the DKIM signature.

DomainKeys Identified Mail (DKIM) is an authentication framework used to sign and validate a message, based on the domain of the sender. This test performs the validation by verifying the origin of the sending address. To configure PureMessage to add a DKIM signature to some or all outgoing messages, see Sign message with DKIM header in the "Actions Defined" section. DKIM verification depends on access to public keys stored on an available DNS server. This must also be configured for the test to take affect. For general information, see www.dkim.org.

The test analyzes the message header for DKIM signatures. It allows PureMessage to verify the origin of messages that bear a DKIM signature. This test returns true if the message matches the value specified.

Create multiple tests to allow for the various possibilties described in the values below.

Configurable Values:

When using this test with match operators such as Contains and Matches, type one of the following four values in the adjacent text box.

  • pass - A signature is detected and verified.
  • none - there is no DKIM signature.
  • fail - A DKIM signature is present but cannot be verified.
  • invalid - The message cannot be verfied for some reason. For example, a DNS timeout or an invalid DNS hostname.

If you plan to quarantine messages based on certain test results, you may want to create a quarantine digest informing end users that messages have been quarantined for this reason. For more information, see "Managing Quarantine Digest Rules" in the Quarantine Tab section of the Manager Reference.