Filter Conditions

Condition	Use this condition to ...
Where From: message header matches some words	check the From: header for text. Adds a some words option to the rule description (explained below).
Where To: message header matches some words	check the To: header for text. Adds a some words option to the rule description (explained below). This condition has the Multiple Items Matching section within the String Condition dialog with the following options: Convert to single string All items match At Least one item matches For detailed explanation, see further in this section.
Where Subject: message header matches some words	check the Subject: header for text. Adds a some words option to the rule description (explained below).
Where Cc: message header matches some words	Convert to single string All items match At Least one item matches
Where Reply-To: message header matches some words	check the Reply-To: header for text. Adds a some words option to the rule description (explained below).
Where Date: message header matches some words	check the date: header for text. Adds a some words option to the rule description (explained below).
Where Message priority is value	check the priority of the message. Adds Where message priority is Normal to the rule description. Click on Normal to select a priority.
Where Message is Spam	check if the message is marked as spam
Where message is size	check the size of the message. Adds a 0 kB option to the rule Description. Click on this to choose whether to check the message for a size Greater than or Less than and a size in selected units (kB, MB, GB).
Where Message body matches some words	check the whole message body for some text. Parse XML function removes all HTML tags from an HTML email body and allows you to search for the text in an HTML part of a message Adds a some words option to the rule description (explained below). Note: When creating a content filter that scans a whole message body, you should use the Where message is size condition set to some reasonable size (e. g. < 50 kB). This condition is to be the first one used in the Description field. Example: Where Message is < 50 kB and Where Message body matches viagra Reject message and Stop processing more rules.
Where Custom message header matches some words	check any custom headers for some text. Adds a some words option to the rule description (explained below).
Where Any message header matches some words	check all message headers for some text. Adds a some words option to the rule description (explained below).
Where Attachment name matches some words	check attachment names for some text. Adds a some words option to the rule description (explained below).
Strip Attachment where name matches some words	Strip any attachment(s) whose name contains some text. Adds a some words option to the rule description (explained below).
Rename Attachment where name matches some words	Rename any attachment(s) whose name contains some text. This adds some words to the rule Description. This is a special case and usage examples follow: Syntax 1 - newstr;oldstr Syntax 2 - .new;old Syntax once is a simple string replacement, any occurrence of "oldstr" in an attachment name will be replaced by "newstr" Syntax 2 adds ".new" as an extension to the name of any attachment whose name contains "old" Examples: the rule dog;cat would rename attachment mycat.jpg to mydog.jpg the rule .ex_;.exe would rename attachment Myprogram.exe to Myprogram.exe.ex_ it would also rename not.an.exe.file.jpg to not.an.exe.file.jpg.ex_
Where Message contains attachment	evaluates TRUE if the message contains an attachment.
Where Message charset matches some words	checks the messages character set name for some text. Adds a some words option to the rule description (explained below the table).
Where Sender matches some words	checks the sender's address for some text. Adds a some words option to the rule description (explained below the table). Note: In the case you want to use the Starts with function (in the String Condition dialog), you have to specify also the initial angle bracket. Example: Email addresses are john.doe@domain.com, john.d@anotherdomain.net, etc. You want to search for all addresses beginning with john. In the String field, specify this: <john
Where Recipient matches some words	checks the recipient's address for some text. Adds a some words option to the rule description (explained below). This condition has the Multiple Items Matching section within the String Condition dialog with the following options: Convert to single string All items match At Least one item matches For detailed explanation, see further in this section. Note: If you intend to use the Starts with function, see also the note above.
Where Sender/Recipient is local/remote	specifies sender/recipient: Sender - the defined action will be applied to a sender. Recipient - the defined action will be applied to a recipient. Local - the sender/recipient is local (from a local domain). Remote - the sender/recipient is remote. Ignore - ignore the switches and field below. Account exists - the sender's/recipient's account exists within the selected domain/group/mailing list/... Account does not exist - the sender's/recipient's account does not exist within the selected domain/group/mailing list/... Member of - click the "..." button to select the appropriate domain/group/mailing list/...
Where Sender's hostname matches some words	checks the sender and the recipient for some text. Adds a some words option to the rule description (explained below).
Where message violates RFC2822	check the message for any RFC2822 violations. Adds RFC2822 to the rule Description. Click on this to open a dialog that allows you to choose the five most common RFC2822 violations that can cause email clients to hang when trying to receive a message.
Where Condition is execution of application	runs a specific application to process the email message. Adds an application option to the rule description (explained bellow). Click this link to define the path to the application. This (custom) application obtains the path to the email file as a parameter. If the application output equals zero, the condition is not met, if the output is differing from zero, the condition is met.
Where Sender's IP address matches some words	check the Sender's IP address for some text. Adds a some words option to the rule description (explained below).
Where rDNS (PTR) matches some words	check the rDNS record for some text. Adds a some words option to the rule description (explained below).
Where Sender's IP address is listed on DNSBL server	check a DNSBL server for the sender's IP address of this message. Adds the server expression to the rule description. Click this to enter the name of the DNSBL server you wish to interrogate. (If not set, all servers activated under AS > Spam Assassin > RBL are queried.) Fill in the Regex field. Enter the regex expression that you want to use to sort DNSBL server answers. (If not set, any server answer will match the condition.) See the Simple RegEx Tutorial chapter. When creating content filters apart from Antispam > SpamAsssasin defined ones, consider using a condition Where NOT SMTP AUTH, to avoid catching users that authenticate SMTP. Example of a regex to check only for result code of 127.0.0.x from list.dnswl.org (which - in this case - is a classification they use for very legitimate senders - HIGH TRUST which is 127.0.0.1 as shown at www.dnswl.org instructions): Where Sender's IP address is listed on DNSBL: Server - list.dnswl.org, Regex - 127.0.\d+.3 Add score: -3.50 Accept message In case if you would like to work with messages via content filter regardless DNSBL or RBL, you need to disable DNSBL and RBL, to be able to accept and proceed the messages.
Where session is trusted	check whether sender's IP is trusted.
Where Spam score is Value	check the spam score assigned by the Antispam engine. Adds 0.00 to the rule Description. Click on this to choose Greater or Lower than and a value. Note that the maximum value that the Antispam engine will assign is 10, so specifying a rule that says greater than 10 will never evaluate TRUE, similarly less than 10 will always evaluate FALSE unless the score is exactly 10.
Where Bayes score is percentage	check the score (%) assigned by the Bayesian filter processing. Adds 0% to the rule Description. Click on this to select Greater or Lower and a percentage value.
Where SMTP AUTH	check whether this message was delivered using the SMTP AUTH command (authenticated login).
Where Scanned by Antivirus	check messages that were scanned by the IceWarp antivirus engine. Adds antivirus to the rule Description. Click on this to open a dialog where you can choose any of the four IceWarp antivirus engine results. Note that it is not possible to check both Message contains a virus and Message does not contain a virus options.
Where Local time meets criteria	Check the local time (of the IceWarp Server). Adds criteria to the rule Description. Click on this to open a dialog where you can specify local time checking criteria: The above example will evaluate TRUE only if: The date is between 15th February 2020 and 28th February 2020 AND it is a Saturday or Sunday AND the time is between 20:00 and 23:59. This condition is supplied so that you could create a rule that only runs at weekends, overnight, etc.
Where SQL returns records value	This option runs a query against the database and if the query returns a result evaluates to TRUE, if the query returns an empty result it evaluate to FALSE. Click on Value in the rule description to specify the Database connection to use and the query to run. Click on reject in the rule description to choose an action if the rules evaluates as TRUE.
All messages	Evaluates TRUE for all messages. This is useful if you want to apply an action to every incoming message.

When some words is added to a rule Description you should click it to define the text you wish to check for. The String Condition dialog is presented:

Figure. String condition dialog.

Field

Description

Function

Select the type of a test you want to perform against the value specified in the String field.

Function	Use this condition to ...
Contains list of strings (semicolon separated)	Specify a list of semicolon separated strings. Each string will be checked against the Condition and TRUE will be returned if any string matches. Example: Viagra;Cialis;spam
Regex	Specify a Regex (Regular Expression). See Simple RegEx Tutorial for more details. See the RegEx Rewrites for more information about this topic. For comprehensive Regex information, see http://www.regular-expressions.info/.
Contains string	Specify a single string. If the specified string exists in the Condition, TRUE will be returned. Note: Server variables can be used within a string definition. For more information, refer to the Server Variables chapter.
Starts with string	Specify a string that Condition must start with.
Ends with string	Specify a string that Condition must end with.
Is string	Specify a string that must be an exact match with the Condition.
Contains list from file or pattern	Specify a file name containing a list of strings in the String text box. This must be a fully qualified path to the file. The file must contain one string per line. This Function works like "Contains list of strings" but reads the strings from the file. To select a pattern (defined upon the System - Advanced - Patterns tab), click the left "..." button.

NOT

Check the box if you want to negate the specified function.

String

Fill in the string you want to evaluate against the Condition.

Match case

Check the box if you want the comparison to be case sensitive, i.e. "Viagra" will match "Viagra" but not "viagra".

Match whole word only

Check the box if you want the comparison to be true only if the string is not part of another word, i.e.: "Viagra" will match "Viagra works" but will not match "Viagraworks".

Multiple Items Matching

This extended dialog is available for conditions related to the To, CC, Recipient and Attachment headers.

string_condition_multiple_items

Figure. String condition dialog (in older versions) for multiple matching items.

Figure. String condition dialog (in newer versions) for multiple matching items.

Field	Description
Convert to single string	Default. All recipients or attachments are evaluated as one string.
All items match	Condition is evaluated for each recipient/attachment, global match is returned if all recipients/attachments match.
At least one item matches	Condition is evaluated for each recipient/attachment, global match is returned if at least one recipient/attachment matches.

Example #1

Let's have two recipients: a@d1.com and a@d2.com

Condition: contains string @d1

If Convert to string is used, "<a@d1.com>;<a@d2.com>;" string is constructed and tested. Result is MATCH.
If All items match is used, <a@d1.com> is tested, result is match, then <a@d2.com> is tested, result is not match. Global result is NOT MATCH.
If At least one item matches is used, <a@d1.com> is tested, result is match, then <a@d2.com> is tested, result is not match. Global result is MATCH.

Example #2:

Let's have two recipients: a@d1.com and a@d2.com

Condition: does NOT contain string @d1

If Convert to string is used, "<a@d1.com>;<a@d2.com>;" string is constructed and tested. Result is NOT MATCH.
If All items match is used, <a@d1.com> is tested, result is not match, then <a@d2.com> is tested, result is match. Global result is NOT MATCH.
If At least one item matches is used, <a@d1.com> is tested, result is not match, then <a@d2.com> is tested, result is match. Global result is MATCH.

Note: This works and will work for Content Filters only.

Example #3

You may want to restrict some users to receiving only e.g.: .doc and .pdf files.

Use these conditions:

Where Recipient matches: user1@domain.com; user2@domain.com plus select the Convert to single string option.
and Where Attachment name matches (plus check the NOT box): .doc;.pdf plus select the At least one item matches option.

And use the following actions:

Reject message
and Stop processing more rules.

Figure. Rule dialog containing rules to filter attachments.