Skip to main content

Message Rule examples

All message rules are applied to each message in the order that they appear in the Message Rule page. This will go on until all message rules have been processed or a Final Action has been applied that interrupts the process.

One of the many applications of Message Rules is to set and filter out spam messages. This is done by adding values to each message depending on multiple factors and, based on the score decide if the email should be sent through, digested or quarantined.

For more information on the spam filtering, refer to Digest generation and Quarantines.

Avoiding false positives

IF you find the default spam setting to aggressive, there are a few ways you can modify them to better suit your company's needs.

Use Safe Lists

If you have a specific sender, domain, or IP address you can trust you can add it to your Company's Spam Safe List.

Warning

Having a large Spam Safe List can be a security risk. A faked email address that matches a domain on your Safe List will bypass any spam checks.

Increase the threshold for confirmed spam

  1. Go to Products > Email Security > Message Rules.

  2. Double click the Confirmed Spam rule to start editing it.

  3. Under the Selected Conditions column, edit the Spam Score condition by clicking on Configure.

    144347_1.png
  4. Change to Condition Value to a higher limit, such as 170.

  5. Click Save.

Disable the Confirmed Spam rule

Warning

This will significantly reduce Email Security's ability to detect and handle spam, and may result in an increase in the number of spam emails that reach your company's employees.

  1. Go to Products > Email Security > Message Rules.

  2. Click on the button under the Status column for the Confirmed Spam rule to turn it off.

    144347_2.png

This Rule detects phishing attacks that target high-profile employees such as the CEO or CFO and quarantines them.

You can activate executive tracking for specific email addresses from the Mailboxes screen. for Active Directory groups you can go to the Group Management screen.

Note

These types of attacks are directed at employees with high level positions who tend to have access to sensitive data by manipulating the victim into authorizing high-value wire transfers to the attacker.

Warning

In order for Executive Tracking to work properly, you need to be running the AD Connect tool, rather than AD export or LDAP export.

To set up this Rule:

  1. Go to Products > Email Security > Message rules.

  2. Click the Add Rule emailsecadd.png button.

  3. Add a rule name and click the Add emailsecadd2.png button

  4. Add a Direction condition and set it to Inbound.

  5. Add an Executive Tracking condition, and set it to Matches: Exact.

  6. Add a Quarantine - Company final action, and set it to Spam.

    76907_1.png
  7. Click the Save emailsecsave.png button.

  8. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

Unless the Active button is set to On, the rule will not be processed.

Excluding Email Addresses from Tracking

Go to the Custom Rule Data page and select the Executive Tracking Safelist entry.

Add or update the Regular Expression so that it remains in this format, specifying multiple email addresses with a pipe | character:

^(addr1@domain\.com|addr2@domain\.com|addr3@domain\.com)$

Excluding Email Domains from Tracking

Go to the Custom Rule Data page and select the Executive Tracking Safelist entry.

If you need to add entire domains in to the Regular Expression you can use the following format (e.g. for domain1.com):

^(addr1@domain\.com|addr2@domain\.com|addr3@domain\.com)$|domain1\.com$|domain2\.com$

Some Gmail accounts (either legitimate accounts that have been hacked or created specifically for spam) will send emails with little or no content. (e.g. an empty email with a subject line of "hi"). These emails have very little content to analyze and it is difficult to automatically determine if the email is legitimate or not.

GravityZone Security for Email can detect these types of attempts and block them. Here is how to set up a rule for that purpose:

  1. Go to Products > Email Security > Custom Rule Data

  2. Click the Add New button and select Rule Data. Give it a descriptive name (e.g. Gmail domains) and click Update.

    emailsecruledata.png
  3. Click the Save emailsecsave.png button.

  4. In the value field, enter:

    gmail.com
    googlemail.com
  5. Click the Add New button and select Rule RegEx. Give it a descriptive name (e.g. Gmail spam) and click Update.

    emailsecurityruleregex.png
  6. Click the Save emailsecsave.png button.

  7. In the value field, enter ^$|^Hi$

    Note

    You may need to update this RegEx with additional values if you're regularly receiving spam emails with different subject lines. You can test out your new RegEx value at https://regex101.com/.

  8. Go to Products > Email Security > Message rules.

  9. Click the Add Rule emailsecadd.png button.

  10. Add a rule name and click the Add emailsecadd2.png button

  11. Add a Direction condition and set it to Inbound.

  12. Add an Email Size condition and set it to Less Than: 4kb.

  13. Add a Sender condition and set it to Matches: Gmail domains (or the name you gave the Rule Data in step 2).

  14. Add a Subject condition. Set the logic to Matches: Gmail spam or (the name you gave the Rule RegEx in step 5).

  15. Add a Quarantine final action and set it to Spam.

    76907_2.png
  16. Click the Save emailsecsave.png button.

  17. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

  • Unless the Active button is set toOn, the rule will not be processed.

  • If all detected emails are spam, you can change this Rule to use a Quarantine - Company final action instead.

This rule can be adapted and used to prevent any user or groups of users to receive specific types of documents:

  1. Go to Products > Email Security > Custom Rule Data

  2. Click the Add New button and select Rule Data. Give it a descriptive name (e.g. no Word document users) and click Update.

    emailsecruledata.png
  3. Add the email addresses for the users you want to include in the list, each on a separate line:

    76907_3.png
  4. Click the Save emailsecsave.png button.

  5. Click the Add New button and select Rule RegEx. Give it a descriptive name (e.g. Word documents) and click Update.

    emailsecurityruleregex.png
  6. Type in the following as the RegEx Data field:

    ^.+\.(?:(?:[dD][oO][cC][xX]?))$
  7. Click the Save emailsecsave.png button.

  8. Go to Products > Email Security > Product Configuration > Custom Quarantine.

  9. Click the Add emailsecadd.png button

  10. Type in a descriptive domain name, check the Permit User Access box, and click on the Add emailsecadd2.png button.

    76907_4.png
  11. Go to Products > Email Security > Message rules.

  12. Click the Add Rule emailsecadd.png button.

  13. Add a descriptive rule name and click the Add emailsecadd2.png button

  14. Add a Direction condition and set it to Inbound.

  15. Add a Recipient condition and set it to Matches: No Word Document Users (or the name you gave the Rule Data in step 2).

  16. Add an Attachment Name condition with the value set to Matches: Word documents (or the name you gave the Rule Regex in step 5).

  17. Add a Notify Sender action and type in the message you want to be sent to the sender.

  18. Add a Quarantine final action and set it to Matches: World file emails. (or the name you have the domain in step 10).

  19. Click the Save emailsecsave.png button.

  20. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

Unless the Active button is set to On, the rule will not be processed.

To set up a rule that detects possible credit card numbers, follow the below steps:

  1. Go to Products > Email Security > Custom Rule Data.

  2. Click the Add New button and select Rule RegEx. Give it a descriptive name (e.g. Credit Card numbers) and click Update.

    emailsecurityruleregex.png
  3. Type in the following as the RegEx Data field:

    \b4\d{3}([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    Note

    The example given above will detect Visa cards. The following RegEx patterns can be used to detect other credit card types. You'll need to create a new Custom Rule Data for each one.

    Mastercard

    \b5[1-5]\d{2}([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    Discover or Diners

    \b6(?:011|22(?:1(?=[\ \-]?(?:2[6-9]|[3-9]))|[2-8]|9(?=[\ \-]?(?:[01]|2[0-5])))|4[4-9]\d|5\d\d)([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    JCB (China)

    \b35(?:2[89]|[3-8]\d)([\ \-]?)\d{4}\1\d{4}\1\d{4}\b(?!([^<]+)?>)

    American Express

    \b(?<!\-|\.)3[47]\d\d([\ \-]?)(?<!\d\ \d{4}\ )(?!(\d)\2{5}|123456|234567|345678)\d{6}(?!\ \d{5}\ \d)\1(?!(\d)\3{4}|12345|56789)\d{5}(?!\-)(?!\.\d)\b(?!([^<]+)?>)
  4. Click the Save emailsecsave.png button.

  5. Go to Products > Email Security > Message rules.

  6. Click the Add Rule emailsecadd.png button.

  7. Add a descriptive rule name and click the Add emailsecadd2.png button.

  8. Add a Body or Subject Condition, and set it to Matches: Credit Card numbers (or the name you gave the Rule RegEx at step 2).

  9. Add your desired Action or Final Action.

  10. Click the Save emailsecsave.png button.

  11. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

Unless the Active button is set to On, the rule will not be processed.

To disable spam filtering for specific mailboxes follow the steps below:

Note

The Rule is designed to work for Inbound emails only. You can redo steps 5-12 for Outbound steps as well, replacing Matches: Inbound with Matches: Outbound in step 9.

  1. Go to Products > Email Security > Custom Rule Data.

  2. Click the Add New button and select Rule Data. Give it a descriptive name (e.g. No Spam filtering) and click Update.

    emailsecruledata.png
  3. Type in the email addresses you want to exclude from spam filtering, each on a separate line.

    76907_5.png
  4. Click the Save emailsecsave.png button.

  5. Go to Products > Email Security > Message rules.

  6. Click the Add Rule emailsecadd.png button.

  7. Add a descriptive rule name and click the Add emailsecadd2.png button.

  8. Add a Recipient condition and set it to Matches: No Spam Filtering (or whatever you named the rule data in step 2).

  9. Add a Direction condition, with the logic set to Matches: Inbound.

  10. Add a Deliver final action.

    76907_6.png
  11. Click the Save emailsecsave.png button.

  12. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

Note

Unless the Active button is set to On, the rule will not be processed.

This rule is meant to catch spam emailed that are designed to appear on casual inspection as if they originate from your domain.

It will trigger when domains in the header are very similar to (but not identical to) your configured domains. For example (e.g. bytdefender.com and bitdefender.com).

To set it up follow the below steps:

  1. Go to Products > Email Security > Message rules.

  2. Click the Add Rule emailsecadd.png button.

  3. Add a descriptive rule name and click the Add emailsecadd2.png button.

  4. Add a Direction condition and set it to Matches: Inbound.

  5. Add a Nearby Domains condition and set it to Less Than: 3.

    Note

    The rule can be configured between 1 and 10, however we recommend 3 is a good starting point. You can then monitor the results and adjust as necessary.

  6. Add an Add to Spam Score action and type in 108. This will make sure the message will be identified as spam.

    76907_8.png
  7. Click the Save emailsecsave.png button.

  8. Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rule window.

This rule is meant to protect against attacks that involve sending an email with very little content and an HTML attachment containing malware or other malicious software.

Note

This rule will appear for all customers provisioned after September 2021 but it will be disabled by default.

To manually create the rule, follow these steps:

  1. Go to Products > Email Security > Message rules.

  2. Click the Add Rule emailsecadd.png button.

  3. Add a descriptive rule name and click the Add emailsecadd2.png button.

  4. Add a Direction condition and set it to Matches: Inbound.

  5. Add a Attachment Name condition and set it to Matches:HTML attachments.

  6. Add a Sender in List condition and set it to Does Not Match:All Safe Lists.

  7. Add an Add to Virus Score action and type in 123. This will make sure the message will be identified as a potential threat.

    76907_13.png
  8. Click the Save emailsecsave.png button.

  9. Move or drag the rule above the Confirmed Spam and Possible Spam rules so that it triggers before them.

Note

You can further modify the rule to match your company's needs by adding additional conditions.

To create a rule to quarantine marketing messages to one or more users, follow the steps below:

Note

For more information on GravityZone Security for Email policies regarding marketing emails, refer to How marketing emails are flagged

  1. Create a list of users you want the rule to apply to:

    1. Create a new Rule Data list.

      Note

      For more information on creating a new data list refer to Custom Rule Data

    2. Add the email addresses of the users you want the rule to apply to:

      76907_14.png
    3. Click on emailsecsave.png.

  2. Go to Products > Email Security > Message rules.

  3. Click the Add Rule emailsecadd.png button.

  4. Add a descriptive rule name and click the Add emailsecadd2.png button.

  5. Add a Direction condition and set it to Matches: Inbound.

  6. Add a Core Service condition and set it to Matches: CoreService Commercial Medium Reputation.

    Note

    You can replace CoreService Commercial Medium Reputation with CoreService Commercial High Reputation however, if you wish to quarantine both types of emails. you need two separate rules.

  7. Add a Recipient condition and set it to Matches:Marketing Exceptions (or whatever name you gave the rule data list in step 1.

  8. Add a Quarantine final action and set it to Matches: Spam.

    76907_15.png
  9. Click on emailsecsave.png

  10. Move the newly created rule above the already existing Medium Reputation Marketing rule.

    76907_16.png

To create a rule for detecting Credit Card Numbers on outbound emails and quarantine them in a custom area for review by the administrator:

  1. Go to Products > Email Security > Product Configuration > Custom Quarantine.

  2. Click the Add emailsecadd.png button.

  3. Add a descriptive name and click the Add emailsecadd2.png button.

  4. Go to Products > Email Security > Message rules.

  5. Click the Add Rule emailsecadd.png button.

  6. Add a descriptive rule name and click the Add emailsecadd2.png button.

  7. Add a Direction condition and set it to Matches: Outbound.

  8. Add a Body condition and set it to Matches: Card Number (Keywords).

  9. Add a Body condition and set it to Matches: Card Number (RegEx).

  10. Add a Quarantine final action and set it to Matches: Outgoing emails with CC info (or the name you have the quarantine are in step 3).

    76907_17.png
  11. Click on emailsecsave.png

Note

For more information on available Data Loss Prevention dictionaries refer to this kb article.

To add a message to all emails received from outside your company, create a rule with the following settings:

Rule component

Component type

Match type

Condition value

Condition

Direction

Matches

Inbound

Actions

Prefix Text

(for simple text)

OR

Prefix HTML

(for HTML)

Value

Configure the message you require.

Tip

You can edit the message HTML code directly by clicking the Edit Source button in the upper right side of the Configure: Prefix HTML window.

Examples

Simple text:

WARNING! This message originated outside of Bitdefender. Do not click on links or open attachments unless you recognize the sender and KNOW the content is safe.

In HTML source code:

<p><span style="color: #ff0000;"><strong>WARNING!</strong></span><strong> This message originated outside of Bitdefender. Do not click on links or open attachments unless you recognize the sender and KNOW the content is safe.</strong></p>

Decide the priority of the rule in relation the other existing rules and drag it to the appropriate position in the Message Rules window.

Note

Unless the Active button is set to On, the rule will not be processed.