Walk-through: Blocking specific email by subject line with Symantec Mail Security for Microsoft Exchange

Products

Mail Security for Microsoft Exchange

Issue/Introduction

You installed Symantec Mail Security for Microsoft Exchange. You need detailed steps for setting up a rule to block email that contains a specific subject line.

Resolution

Before you begin:

Make sure that the user name with which you logged in is a member of the Symantec Mail Security for Microsoft Exchange Admins security group.
Symantec Mail Security for Microsoft Exchange cannot open password-protected archives or archives that use encryption.
Archive files that use an incorrect extension do not open properly.
The below procedure can be applied on Symantec Mail Security for Exchange versions 5.X and higher, with the exception of versions 6.0.0 - 6.0.8 when being run on Exchange 2007. Version 6.0.9 and higher contains a Content Filtering feature for users on Exchange 2007.

To block email based on specific subject lines, you must have at least one match list and at least one rule. The match list defines the specific literal strings on which to filter. The rule defines the actions to take when the subject line matches part of the list. You can associate one or more named match lists with a rule.

To configure Symantec Mail Security for Microsoft Exchange to block a specific subject line, you must perform the following actions:

Create a match list.
Create a filtering rule.
Test the rule.

To create the match list

In the Symantec Mail Security for Microsoft Exchange user interface, in the left pane, on the Policies tab, under Views, click Match Lists.
Under Tasks, click Add match list.
In the Add New Match List dialog box, in the Name field, type a name for your match list.
Click OK.
In the user interface, in the right pane, in the Description box, type a description of the match list.
In the Type box, click Literal string.
In the Filter box, type the literal strings from the subject lines that you want to block.
To use multiple strings, press Enter after each string.
Click Deploy changes/Deploy all.

To create a filtering rule

In the single-server user interface, in the left pane, click Policies.
Under Views, click Content Filtering Rules.
Under Tasks, click New rule.
In the New Rule dialog box, in the Name box, type a name for the rule.
Under "Apply rule to," check Inbound messages.
By default, Internal messages (store) is checked.
In the Message part to scan drop-down list, click Subject.
Check Whole term.
Check Case.
In the Content drop-down list, click Equals.
Click Add match list.
In the Select a match list dialog box, in the left pane, click the match list that you created.
When the match list appears in the right pane, click OK.
In the Rule Action drop-down list, select the action that you want Symantec Mail Security to take when email violates the rule.
On the Notifications tab, uncheck all of the boxes.
Click OK.
Click Deploy changes/Deploy all.

To test the new rule

Create a message with a subject line that contains one of the match list strings.
Send this message into the test network from an external account, and monitor the results.
If the message triggers a violation, the rule works.
Add the rule and match list to your production environment.

Symantec recommends that you test every new rule or modified rule to make sure that it works as you expect. A test network allows more control over the test process, and email generally travels more quickly through the system.

References
For other information that is related to the configuration of subject line filtering, read the following documents:

You can also find more information in the Symantec Mail Security for Microsoft Exchange Implementation Guide.

Technical Information

Descriptions
Descriptions do not affect the functionality of any rule or match list. They provide a quick reference for the administrator.

Names
You cannot use the following characters as part of the name of a match list or content filtering rule:

&%^\:/*?.|><'#@+="

If you use one of these illegal symbols in the name of a match list or a content-filtering rule, you will see one of the following messages:

"Content filtering rule name cannot contain the following characters:"
"Match list name cannot contain the following characters:"

Notifications
Notification send to the administrator or to the original sender of a mass-mailing worm can be counterproductive. Instead, configure your outbreak settings as described in the Symantec Mail Security for Microsoft Exchange Implementation Guide.

Sensitivity of content filtering rules

The Case check box makes your match case-sensitive. This box is not available when you filter by sender or attachment name.
The Whole term check box forces the whole term to match. In Symantec Mail Security 5.0 for Microsoft Exchange, the default behavior is to search for match list items within terms. This box is not available when you use a regular expression as the filtering type.
The Match Type affects any text that you put in the Content or Unless text boxes. When you add a match list, the match type that is specified in the match list takes precedence for any match that occurs in the match list.
There are two ways to include a term: Content "Equals/Does not equal" or "Contains/Does not contain". "Equals" matches the exact term on the match list while "Contains" matches if the term is present in the message part being scanned.

Symbols

You can use symbols and characters in the Match list filter box to match patterns within strings.
For more detailed information, read the following document: Regular expressions you can use to set up spam rules in Symantec Mail Security for Microsoft Exchange.
The following symbols and characters are permitted in the Match list filter box:
! @ # $ % ^ & * ( ) _ + } { " : > < ? | ~ , . / ; ] [ = -

Users
You can add one match list to the "Users (SMTP addresses)" text box. You can add both SMTP addresses and Active Directory groups. If you use both SMTP addresses and Active Directory groups, the rule uses the groups and ignores the addresses.