Hi Michael When you add **@**.domain to the "include senders" tab you are ONLY checking the envelope from field. I DO NOT RECOMMEND creating Top level domain rules and would only do so with EXCEPTIONAL care and attention to details. The FIRST thing I would check is to ensure that the delayed email queue is enabled on your appliance. configuration / policy / smtp options / delay queue ensure the top drop down is set to ON and not collect. This feature will wipe out most snow shoe spam on its own and should allow you to get away with out creating TLD rules. ---- CUT ---- If you still insist on creating effective TLD rules please see the following 2 rules. Although these rules are as tight as possible there still may be a very small chance of a false positive. I HIGHLY recommend setting the rule to quarantine. In order to do it correctly you will need 2 data control rules. The first rule will check the DATA from and the second will check the ENVELOPE from. You MUST modify BOTH rules for each domain to exclude. For the sake of this example I will include .info and .tv you can add as many as you like. I do NOT recommend trying to add more then one TLD per header rule. Make sure you double check EVERY step is EXACTLY as listed before you enable these rules .. one missed step may cause you a world of pain. #1 : DATA rule checker under configuration / policy / data control / inbound add rule type : messages matching specific words or phrases enable advanced policy next rule config next message attributes add ( add 1 new rule for each domain, so if you have 10 domains you need to add 10 items) select Header from the drop down name From (the capital F is important) matches regular expression value : .*@.*\.domain$ (This expression is : period star AT period star slash period (domain) dollar sign) In English this expression is Anything or nothing in front of an @ sign Anything or nothing behind the @ sign ending in .domain ie : .*@.*\.tv$ or .*@.*\.info$ click the check box "One of the message attributes must be active" apply next select users next main action: quarantine / reason keyword (or delete) next next until rule description... give it a name and activate the rule once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order #2 Envelope rule under configuration / policy / data control / inbound add rule type : messages matching specific words or phrases enable advanced policy next rule config click on the regular expressions tab .* (This expression is : Period Star) add next message attributes next select users click on include sender custom group add **@**.domain ie: **@**.info **@**.tv click add main action: quarantine for keyword (or delete) next to the end give it a name, activate the rule once its saved move this rule directly under the previous rule and click save order. Final notes: These rules are set to quarantine messages for the reason of Keyword. If you go into the search tool change the reason on the left to keyword and it will show you all of the hits. *********** Keep in mind #1 that setting these rules to delete is complete destruction of mail, there is NO recycle bin mail that is deleted is GONE forever #2 datacontrol rules are processed BEFORE any other rules like additional policy and spam checking so if you delete email here your other rules may not trigger. ************ Happy Trails.
↧