Overview

Keyword Filtering allows you to set up rules that filter emails with particular keywords or a combination of keywords in the body or subject of the email.

This article looks at how Keyword Filtering rules can be set up to take action on emails that meet specific keyword conditions.

Introduction

MailEssentials default installation includes a number of Keyword Filtering rules that can be enabled, disabled, edited, or new ones added as desired. The order in which they are applied is also configurable by changing the priority.

A rule has the following components which can be modified as required:

• Keywords to block in the email body, subject, or attachment.
• Actions to take when a keyword is found.
• The users to which a rule applies.

The next section describes the process to configure keyword filtering rules by looking at the following topics:

• Configuring Basic Rule Settings
• Configuring Terms to Block
• Configuring the Actions to Take on Detected Emails
• Specifying Users to Whom This Rule Applies
• Changing rule priority

Description

To configure Keyword Filtering rules, navigate to GFI MailEssentials > Content Filtering > Keyword Filtering. This page allows administrators to view, create, enable, disable or delete rules as described below:

Configuring Basic Rule Settings

1. Open the GFI MailEssentials configuration.
2. Go to Content Filtering > Keyword Filtering and choose Add Rule...
3. Specify a name for the rule in the Rule name text box.
4. Choose whether to scan inbound, outbound and/or internal emails.
   1. Inbound Emails: Email incoming to the organization from another domain.
   2. Outbound Emails: Email outgoing from the organization to an external domain.
   3. Internal: Incoming emails that originate from the organization. (This option is only available when MailEssentials is installed on the Microsoft Exchange Server)
4. To block emails encrypted using PGP technology, choose Block PGP encrypted emails.

Configuring Terms to Block

1. Click the Body tab to specify the keywords in the email body to block.
2. Check the option Block emails if content is found matching these conditions (message body/attachments) to enable scanning the body of the message for keywords.
   
   
   
   
3. From the Condition entry area, enter keywords to block in the Edit condition box. Logical operators AND, OR, AND NOT and OR NOT can be used to form a combination of keywords.
4. To add the keyword or combination of keywords, click Add Condition. To modify an entry in the Conditions list, choose it and make the required changes in the Condition Entry box. To remove an entry from the Conditions list, check it and click Remove.
5. Click Update to apply changes.
   
6. (Optional) From the Options area, configure different settings: 
   
   

   Option	Description
   Match whole words only	Block emails when the keywords specified match whole words
   Apply above conditions to attachments	Choose this option to apply this rule to text in attachments as well. In the Attachment filtering area, specify the attachments' file extensions (e.g. .doc) to apply or exclude from this rule

7. Choose the Subject tab to specify keywords to block in the email subject.
8. From the Condition entry area, enter keywords to block in the Edit condition box. Conditions AND, OR, AND NOT and OR NOT can be used to form a combination of keywords.
9. To add the keyword or combination of keywords, click Add Condition. To modify an entry in the Conditions list, choose it and make the required changes in the Condition entry box. To remove an entry from the Conditions list, choose it and click Remove.
10. Click Update to apply the changes.
11. From the Options area, configure how keywords are matched. Choose Match whole words only to block emails where the keywords specified match whole words in the email body.

Configuring the Actions to Take on Detected Emails

1. Click the Actions tab to configure what should be done when this rule is triggered.
   
   
2. To block an email that matches the rule conditions, click Block email and perform this action and choose one of the options:
   
   

   Option	Description
   Quarantine email	Stores blocked emails in the Quarantine Store to further review (approve/delete) all the quarantined emails. For additional information, refer to Managing Quarantined Emails.
   Delete email	Deletes blocked emails.
   Move to folder on disk	Moves the email to a folder on disk. Enter the full folder path where to store blocked emails.

3. Choose the option Send a sanitized copy of the original email to recipient(s) to specify whether to send a copy of the blocked email to the recipients with the malicious content removed.
4. To send email notifications whenever an email gets blocked, check any of the options:
   

   Option	Description
   Notify Administrator	To notify the administrator whenever this engine blocks an email.
   Notify local user	To notify the email local recipients about the blocked email.

5. To log the activity of this engine to a log file, check Log rule occurrence to this file and specify the path and file name to a custom location on the disk to store the log file. By default, log files are stored in: ...GFI\MailEssentials\EmailSecurity\Logs\<EngineName>.log

Specifying Users to Whom This Rule Applies

1. By default, the rule is applied to all email users. GFI MailEssentials, however, it is possible to apply this rule to a custom list of email users specified in the Users / Folders tab.
2. Specify users to apply this rule.
   

   Option	Description
   Only this list	Apply this rule to a custom list of email users, groups or public folders.
   All except this list	Apply this rule to all email users except for the users, groups or public folders specified in the list.

3. To add email users, user groups and/or public folders to the list, click Add.
   

   

4. In the User Lookups window, specify the name of the email user/user group or public folder to add to the list and click Check Names. Matching users, groups or public folders are listed underneath.
   Note: There is no need to input the full name of the users, groups or public folder. It is enough to enter part of the name. MailEssentials will list all the names that contain the specified characters. For example, by entering Sco, MailEssentials will return names such as Scott Adams and Freeman Prescott, if they are available.
5. Check the box next to the name(s) to add to the list and click OK.
   Note: To remove entries from the list, choose the user/user group/public folder and click Remove.
6. Repeat steps 3 to 5 to add all the required users to the list.
7. Click Apply.

Confirmation

If the rules are saved with no error messages, it has been successfully added and will appear under GFI MailEssentials > Content Filtering > Keyword Filtering page.

Changing Rule Priority

The Keyword Filtering rules are applied in the same order, from top to bottom, as they are listed in the Keyword Filtering page (that is, rule with priority value 1 is checked first). The default sequence/priority can be changed by using the  (up) or  (down) arrows to respectively increase or decrease the priority of the selected rule.

Related Articles

• Understanding Keyword Filtering
• Managing Quarantined Emails
• How to determine why the Keyword Filtering Content Filter blocked or allowed a message

Back to top