Skip to main content

Message Rule Conditions

Condition name	Description
Attachment Name	Check the attachment (if any) name of the message against a specific system or custom condition. System conditions include: Double extension (e.g. .docs.exe) Dangerous files Office macro extensions
Bitdefender	Scan attachments with Bitdefender anti-malware engine and cloud service. Available conditions are: Clean Suspected Virus Virus or Suspected
Body	Compare the body of the message against specific custom or system conditions. System conditions include: Direct Marketing Detection Empty Body Detection Homophobic Content Marketing Exception Newsletter SPAM Racially Insensitive Racist Content RuleScan Exceptions Sexual Enhancer/Explicit Sexually Explicit
Body or Subject	Compare the title body of the message against specific custom or system conditions. System conditions include: Chinese Spam keywords Homophobic Content Racially Insensitive Racist Content Redirect Spam URLs Sexual Enhancer/Explicit Sexually Explicit Spam Blog URLs
Connection IP	Compare the remote server connection IP against specific custom or system conditions. System conditions include: LocalHost
Core Service	Check the sender e-mail reputation as determined by the core anti-spam service against a specific system condition. Each email is scanned and classified into one of the classifications. Rules can be customized to get the best out of the spam filtering. Each customer will have their own requirements and this list is extensive and should help to custom the detection level to your requirements. Note Some classifications are already used in default rules that will be enabled by default, these are marked. System conditions include: CoreService Clean - Emails found to be clean CoreService Bounce -Bounced message (Non-delivery notifications). CoreService Commercial -Professional Commercial Email detected by signature: Typically, emailing campaigns issued from a professional and known routing platform that follow the rules of use for email advertising, by providing unsubscribe links, list cleaning. CoreService Commercial - High Reputation CoreService Commercial - Low Reputation CoreService Commercial - Medium Reputation CoreService Community - Social Network alerts and notifications, Mailing-list email communications and Messages exchanged through forums. CoreService Malware CoreService Phishing CoreService Spam (Used in "(Default) CoreService" rule) - Known Spam, Malware detected by heuristic analysis, Message detected as phishing either by heuristic analysis or through a URL and Message detected as scam by heuristic analysis. CoreService Suspect (Used in "(Default) CoreService Suspect" rule) - Miscellaneous Commercial Email detected by heuristics: Any advertising email that follow the rules of use of marketing email, which was not sent through a renown routing platform. Message with a subject that may potentially cause damage. For instance, emails with content referencing money transfer. Detected by signature: Any other advertising campaign that does not comply with CAN-SPAM. CoreService Suspect Only CoreService Relax CoreService Transactional - Transactional emails sent as a confirmation after buying on the Internet. Account update or actions such as welcome emails, account validation email and request for updates. Emails related to travel arrangements and confirmation. Emails received after subscribing to alert services, such as housing alerts, Google alerts, Yahoo alerts.
Direction	Specify the direction of the message - inbound or outbound.
DKIM Enabled	Check if DKIM (DomainKeys Identified Mail) is enabled on your server. Conditions can be set to true or false.
DKIM Signature	Compare the DKIM (DomainKeys Identified Mail) signature for the email against a specific system condition. System conditions include: DKIM Pass DKIM Temporary Fail Permanent Error UnSigned
DMARC Failure	Compare the DMARC (Domain-based Message Authentication, Reporting and Conformance) failure action from the remote DNS record against a specific system condition. System conditions include: None Reject Note Recommended settings are "Match type: Matches" and "Condition Value: Reject".
DMARC Policy	Compare the DMARC (Domain-based Message Authentication, Reporting and Conformance) policy against a specific system value. System conditions include: DMARC Fail DMARC Pass
Domain Threat Level	Scan domains within the header and envelope fields of the message, using leading threat intelligence fields, to identify high-risk domains.
Email Size	Compares the size of the message against a specific system value. You can set the match type to Greater Than or Less Than.
Executive Tracking	Scan headers for attempts to impersonate company executives, or to obtain sensitive information from high-profile employees. It can be compared against these system conditions: Contains - To trigger the rule, this condition looks for a partial match. For example, if `Dr Alex Smith` is selected, the rule would trigger if the first and last name were Alex Smith or if a variant of Alex (for example Alexander.) Exact - To trigger the rule, the entered string must match users first and last name or a configured variant exactly. Tip If you are using this condition, you must add a variant for every name you wish to detect. High - To trigger the rule, a check is made using the Levenshtein Distance algorithm and Tanimoto Coefficient to automatically determine between the entered string and the users' real name. Warning There is a risk of false positives associated with this option. Medium - This condition works similarly to the High one, however the threshold for triggering is much lower. Warning There is a significant risk of false positives associated with this option. Note This value represents the amount of variation that the Condition will tolerate. For example, the Exact value will only trigger on an exact match, whereas High would trigger if one character had been changed to a number in the label name. We recommend setting the Condition to High by default, to avoid false positives.
Fake Sender Headers	Check if the email sender headers have been forged.
File Type	Check if the email contains an attachment of the specified file type. Recognized file types include include: MS Access MS Excel MS PowerPoint MS Word Script
Group Membership	Check if the mailbox belongs to a specific synchronized Active Directory group.
Header Exists	Compare headers and header values against Custom Rule Data values.
IP Reputation	Check if the IP address of the email's originating server matches a specified reputation value.
Mailbox Exists	Check if the destination mailbox to exists on your server. Note This Condition is only useful for incoming email, and should usually be added in conjunction with a Direction condition.
Message Security	Check if the message is digitally signed or encrypted.
MX Record	Check that the hostname in the MX records responds to an SMTP request.
Nearby Domains	Scan the email headers for addresses for domain names similar to your legitimate domain name (e.g. bytedefender.com instead of bitdefender.com). These can often be an indication of a malicious or spam email. You can set this condition to a value greater than or less than values from 1 to 10. Note The recommended value depends on your domain length. You should set it to a sightly lower value than the length of your domain then monitor results and adjust as needed.
Own Domain	Check if the sender of the email is configured as a domain for your account.
Protected Attachment	Check if the messages contain password protected attachments. Note zip and PDF currently supported
Recipient	Check the email recipient against your Active Directory export or you any Custom Rule Data you have created.
Recipient Count	Check if the total number of recipients is greater or higher than a specific value.
Scan Office Files	Scans any attached Office documents (except PDF files) for specific keywords or patterns.
Sender	Compare the sender of the email against a specific custom value you have created in Custom Rule Data.
Sender in List	Check if the sender is present in any personal or global Safe List or Deny List.
Sending Domain MX Record	Check if the originating domain for the email has a valid MX record.
Spam Score	Check if the email's spam score (as calculated by Email Security) is greater than or less than a specific value. Note You can use Rule Actions such as Add to Spam Score, Set Spam Score or Subtract from Spam Score to adjust the score.
SPF	Check the Sender Protection Framework score for the email's domain against a specific system condition. System conditions include: SPF Any Fail SPF Fail or Neutral SPF Fail SPF Pass SPF Softfail
Subject	Check the email subject's keywords against a specific custom or system condition. System conditions include: Auto Responses Homophobic Content Invoice Racially Insensitive Racist Content Sexual Enhancer/Explicit Sexually Explicit
URL Scanner	Scan all links in the email message body and check for known threats. You can choose to check against either Clean URLs or Threat URLs. Note The URL Scanner Condition can use LinkScan to provide on-demand URL protection.
Virus Ruleset	Detect the presence of malware, in macros, VBA scripts or Office documents. The Condition checks if the result is greater than or less than a specific system value.
Virus Score	Checks if the email Virus Score is greater than or lesser than a specific system value. Note The Virus Score Condition is best used in combination with other Rules (with a higher priority) which uses the Add to Virus Score, Subtract from Virus Score and Set Virus Score Actions.
Word Count	Checks if the number of words contained in the body of the email matches against specific criteria.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.