Creating a content checking rule
To create a content checking rule:
1. Highlight the content checking node in the GFI MailSecurity configuration. Right click and select New> Content checking rule.
2. A new rule will be created in the right pane. Highlight this rule and double-click it. A tabbed dialog will appear.
Checking the body & subject
A content checking rule (VSAPI mode)
3. In the general tab, you can specify whether you wish to apply this rule to apply to inbound mail, internal mail, outbound mail or all. You can also block PGP encrypted messages.
4. Now you can enter the conditions & keywords you wish to content check emails for. Select either 'Add Condition' to enter a condition that uses operands, or select 'Add Keyword' to enter a single keyword or a phrase.
Adding a condition
Adding conditions
Conditions are combinations of keywords using the operands IF, AND, AND NOT, OR or OR NOT. Using conditions, you can specify combinations of words that must appear in the e-mail. For example a condition "If Word1 AND Word2" will check for Word1 and Word2. Both words would have to be present in the mail to activate the rule. To add a condition, select 'Add Condition'
Adding a keyword or phrase
Adding keywords
If you only wish to check for single words or phrases, you do not need to create a condition. In this case you can just add a keyword. Select 'Add Keyword' to do this. If you enter multiple words, then GFI MailSecurity will search for that phrase. For example if you enter Basketball sports, then GFI MailSecurity will check for the phrase 'Basketball sports'. Only this phrase would activate the rule, not only the word basketball OR sports.
5. By default, only the message body of the mail will be checked. You can have GFI MailSecurity open an attachment and check for keywords in the attachment itself. To do this, click on 'Attachment checking options'. Enable 'Check these attachments', and specify the extensions of the attachments you wish to content check using the Add & remove buttons.
Note: This option will cost processing time, since it is time intensive to search for words through attachments. Its best to only do this for doc, txt and rtf attachments and to quarantine other attachments.
6. After you have specified keywords and combinations to check for, you can select a number of options:
Match whole words only: Enabling this option allows you to ensure that GFI MailSecurity will only block mails where the word you specify is a whole word. For example, if you specify the word sport, an email with the word sport will be blocked, but not an email with the word Allsports.
Block PGP encrypted mails: This option will block/quarantine messages that are encrypted using PGP. This will allow you to intercept messages trying to bypass the GFI MailSecurity content checking engine.
Import/Export: You can import keywords & conditions using the Import/Export function. To do this, create a text file and include each condition or keyword on a separate line. Phrases should be enclosed in "". Condition operators should be written in capitals. Tip: Export a sample file to see the exact format.
7. You can now proceed onto the next tab and specify words that you wish to check for in the subject of the message.
Content checking rule - subject tab
Specifying the actions to be taken
8. After you have specified what the content rule should check for, you can now specify what should be done if GFI MailSecurity finds a mail with those words in the body.
Content checking rule - actions tab - gateway version
You can choose from the following options:
Block mail & perform action: Enabling this will block the mail and allow you to either quarantine, delete or move the mail.
Quarantine e-mail: This will quarantine the mail or message part for review by an administrator. For more information on quarantining, see the chapter on Quarantining.
Delete e-mail: (Gateway version only) This option will delete the entire e-mail.
Delete body/attachment: This option will delete the `offending' mail message part (i.e. body or attachment)
Move mail to folder: This option will move the mail part to a folder.
Notification
The following notification options are available
Notify user via mail: This option allows you to notify the user via e-mail that the message was blocked.
Notify manager via mail: This option allows you to notify the users manager via e-mail that the mail was blocked. The manager of a user is specified in Active Directory. If no manager is specified the default manager is notified. The default manager can be configured from the quarantine options node.
Log occurrence of rule to this file: Optionally you can log the fact that a rule was `activated' to a log file of your choice.
Note: You can also choose not to block the mail, but simply to notify the user or to log the occurrence of it.
Applying the rule to users
9. After you have configured what to check for and what to do, you can specify for which users GFI MailSecurity will apply this rule. By default, GFI MailSecurity will apply the rule to all emails. However, you can choose to apply the rule to only a few users. This can be done from the users tab.
The Content checking rule `Users' tab
To add users, select add. GFI MailSecurity will automatically list all the users listed in Active Directory. If you do not have Active Directory, all known/imported SMTP addresses will be listed.
You can then select to which users to apply the rule. Alternatively you can select the users to which the rule should not apply! You can also apply the rule to one or more mail enabled public folders. When you are ready specifying to which users the rule will apply, click OK to save the rule.
Renaming the rule
After you have created and saved the rule, you can rename it. To do this, simply right click on the rule and select `rename'.
