[Top] [Prev] [Next] [Bottom]




Disposal


Disposal details provide MIMEsweeper with the information it needs on the disposal route for a message or Web data. That is, a list of available disposal options and the actions performed for each option.

[Disposal] section

Disposal options are listed in the [Disposal]configuration section. For MAILsweeper this is found in the mail configuration file, MIMESWP.CFG. For WEBsweeper, this section is found in the http and ftp configuration files, HTTP.CFG and FTP.CFG.

Each entry in the [Disposal] configuration section is a directive that maps a <Response> to a disposition. It is this disposition that controls the actions performed to dispose of the message or Web data.

The name of the directive is the <Response>, the value is the disposition.

For example (FTP.CFG):
 
[Disposal]
DefaultDisposal=Clean
SUCCESS=Clean
ScanWarning=NotSure
ScanFailed=NotSure
UNKNOWN=NotSure
SystemFailure=NotSure
;NoCertificate=BlockedNoCertificate
CertificateExpired=BlockCertificate
Expired
HavaJava=BlockJava
HaveExecutable=BlockExecutable
NotTrusted=BlockNonTrusted
VIRUSPRESENT=Virus

Lowest priority

Highest priority

 
For example:
 
[Disposal]
DEFAULTDISPOSAL=Clean
RELEASE=Clean
SUCCESS=Clean
ALLOW=Clean
NoFrom=Clean
ISJUNKMAIL=Warning
COPYADMINISTRATOR=Warning
ParkMessage=Parked
SCANWARNING=Warning
NORULE=Uncovered
DENY=Block
ENCRYPTED=Encrypted
BADDATA=Bad
HaveSize=BlockSize
HaveAttachments=BlockAttachments
HaveImage=BlockImage
HaveBinary=BlockBinary
...
MailShortcut=BlockMailShortcut
Shortcut=BlockShortcut
CDACMD=CDACommand
FAILEDDISPOSAL=Failure
SYSTEMFAILURE=Failure
VIRUSPRESENT=Virus
LOADFAILURE=FailedLoad
Lowest priority

Highest priority

The entries in the [Disposal] section are listed in ascending order of priority, as determined by the <Response>. The first entry has the lowest priority, the last entry has the highest priority.

In the above example:

The final disposition for the message or Web data is determined by the highest priority <Response> generated as a result of validation.

For example:

Assume the following <Response> values are generated for a message:

In this example, VIRUSPRESENT1 is the highest priority <Response> generated (using the [Disposal] section shown on page 7-23). The final disposition for the message will therefore be Virus.

As a virus has been detected, the next stage of processing should be to quarantine the message in one of the quarantine areas. See page 7-25 for an example.
 
For example:

Assume the following <Response> values are generated for a downloaded file:

In this example, VIRUSPRESENT1 is the highest priority <Response> generated (using the [Disposal] section shown on page 7-22). The final disposition for the data will therefore be Virus.

As a virus has been detected, the next stage of processing should be to discard the Web page and inform the requesting browser accordingly. See page 7-25 for an example.

Each disposition listed in the [Disposal] section must have its own configuration section in the same file. The name of this section must be the same as the name of the disposition.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList

In this example, the message is quarantined in the VirusQuarantine quarantine area and an Inform message is sent to the names listed in the VirusList configuration section.

For example:

[Virus]
InformText=Page blocked - virus detected.

In this example, the page is discarded and replaced with a message indicating that the download was not successful. The message text sent is the string specified by the value of the InformText directive.

You may occasionally need to add a new disposal entry. For example, when a new validator instance is configured, or, in the case of MAILsweeper, when an AMUcheck rule uses a new <Response>, or you wish to add the NoFrom <Response>.

The new disposal should be entered into the appropriate place in the [Disposal] section, depending on its considered priority. The disposal can re-use an existing disposition, or a new disposition can be created.

If a new disposition is created, remember to create a corresponding disposition configuration section in the same file.

There are several <Response> values that are mandatory and must always appear in the [Disposal]section. These are shown below:

Response Meaning
DefaultDisposal Used if a <Response> is generated which is not listed in the [Disposal]section.
Release This is the default <Response> used for messages that are released from the one of the quarantine areas.
NoRule This <Response> must be present if AMUcheck is enabled. It controls the message disposition if no AMUcheck rule can be matched during validation.
FailedDisposal If a message disposal fails then this <Response> is used in another disposal pass to try and recover the situation.
SystemFailure If the system fails during the processing of a data item this <Response> is used to control the disposal of the data item.
LoadFailure If the message fails to load from the host mail system then this<Response> is used to control the manual recovery process.
 
AMUcheck generates the NoFrom <Response> for any message that has no source address. By default the NoFrom <Response> is mapped to the Clean disposition in the [Disposal] section. This can be altered if required.

The directives listed in a disposition configuration section control the actions performed to dispose of the message or Web data.

MAILsweeper disposal actions

MAILsweeper disposal actions are controlled by the following directives:

The disposal actions are performed in the order that these directives appear in the configuration section.

An exception is the Edit directive which specifies an editing action performed during message delivery. See page 7-34 for details.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList

In this example, the disposal actions specified by the Quarantine directive are performed first, followed by the disposal actions specified by the Inform directive.

If the message is simply to be deleted, with no other action, then the configuration section needs no directives.

For example:

[JustDelete]

This deletes the message with no further processing.

Deliver

The Deliver directive is used to deliver a message onwards to its intended recipients. This directive has no value.

For example:

[Clean]
Deliver=

Quarantine

The Quarantine directive is used to quarantine a message in one of the quarantine areas.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList

The value of the Quarantine directive is the name of the configuration section that controls the quarantine actions. This section requires two directives, these are Comment and Area.

For example:

[VirusQuarantine]
Comment=Virus in message from %SENDER%
Area=Blocked Messages

The Comment directive specifies the comment that is attached to the message when it is placed in the quarantine area. The comment string can contain any of the following tokens:

The Area directive specifies the quarantine area that the message is to be placed in. It is usual to have different areas configured for different quarantine reasons. Currently, up to ten quarantine areas can be configured.

There must be a configuration section for the quarantine area in the same file as the disposition configuration section, that is, MIMESWP.CFG. The name of the section must be the same as the name of the quarantine area. This section uses several directives, as explained below.

For example:

[Blocked Messages]
Location=C:\MSW\Qtine\Blocked
File=C:\MSW\Qtine\Blocked\Quarntne.lst

The Location directive specifies the path to the quarantine area.

The File directive specifies the path to the file that holds details of the messages stored in the quarantine area.

Another example is:

[Parked Messages]
Location=C:\MSW\Qtine\Parked
File=C:\MSW\Qtine\Parked\QUARNTNE.LST
ReleaseTime=21:00-22:00
ReleaseCount=6
ReleaseDisposal=AddMessage
This example is used for message `parking'. See page 5-33 for more details on how to utilise message parking.

The ReleaseTime directive enables timed release of `parked' messages stored in the quarantine area. The value of this directive is the time range between which the messages are released. In the above example, messages are released between 21:00 and 22:00 hrs.

There can be more than one ReleaseTime directive listed in the configuration section.

The ReleaseTime directive should be used with great care. It is advised that it is only used in the configuration sections for quarantine areas that store `parked' messages.

The ReleaseCount directive is only used in conjunction with the ReleaseTime directive, to specify the number of messages released during each MAILsweeper pass. If the ReleaseCount directive is not present the default value used is 1. The frequency of passes is controlled by the IdleTime directive, see page 7-11 for details.

The ReleaseDisposal directive specifies the <Response> that is assigned to a message when it is released from the quarantine area. It is used to control the disposal actions that are performed when the quarantined message is released.

The ReleaseDisposal directive is normally only used to control the release of parked messages, but it can be specified in any of the quarantine areas if desired. If it is not present then the Release <Response> is used.

For example, a message may be `parked' in one of the quarantine areas for later release, due to its large size. You can inform the message recipients of the reason for delay when the message is released. This is achieved by specifying an appropriate <Response> in the configuration section, for example, AddMessage. The disposition for this <Response> could then utilise the automated editing facility. See page 7-41 for an example.

The <Response> specified by the ReleaseDisposal directive must always have a corresponding entry in the [Disposal] configuration section.

Inform

The Inform directive is used to send a message to certain users, to inform them about actions taken during disposal.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList
There can be more than one Inform directive listed, for sending different inform messages to different users. See page 7-38 for a configuration example.

The value of the Inform directive is the name of the configuration section that controls the inform actions. This section can contain several directives, as shown below. It may also contain a PerformIf or SkipIf directive, see page 7-33 for details.

For example:

[VirusList]
FromAdr=%SERVER%
ToAdr=%ADMIN%
Subject=A message from %SENDER% contains a virus.
Body=C:\MSW\CONFIG\VIRUS.TXT
WithLog=TRUE
WithCopy=FALSE

The FromAdr directive specifies the sender of the inform message. The value of the FromAdr directive is an address in MAILsweeper generic address format, or one of the following tokens:

The ToAdr, CCAdr and BCCAdr directives specify the recipient(s) of the message, that is, to whom the inform message is being sent. These determine the To, CC and BCC addresses respectively. The value of these directives is an address in MAILsweeper generic address format, or one of the following tokens:

The Subject directive specifies the string that is used as the subject of the inform message. It may contain the following tokens:

The Body directive specifies the path to a file whose contents are used as the contents of the inform message. The contents of the file may contain the following tokens:

If the Body directive is not present then a standard generated message is used instead.

If the %RCPTS% token is used in the file contents it must always appear on a line of its own. This ensures that each recipient address appears on a line of its own when the generated inform message is sent.

The WithLog directive specifies whether a copy of the message log is added as an attachment to the inform message. The value of this directive is either TRUE or FALSE. Default value is FALSE.

The WithCopy directive specifies whether a copy of the original message is added as a series of attachments to the inform message. The value of this directive is either TRUE or FALSE. Default value is FALSE.

Take great care when using the WithCopy directive. It is not advisable to use WithCopy=TRUE to inform users about messages that seriously fail validation. For example, messages that contain a virus or fail lexical analysis. It is possible that, due to mail system routing, the inform message will get processed by MAILsweeper which would itself fail validation and generate another inform message through this same inform action. This action could carousel indefinitely.

If required, a SkipIf or PerformIf directive can be included in the configuration section that controls the inform actions.

These directives can be used to conditionally send inform messages, depending on the values of previously set attributes. For example, an attribute could be set using AMUcheck to give the message a sense of direction. This information could then be used to send:

In this way, you can keep all inform messages inside your company.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList

[VirusList]
PerformIf=direction==in2
FromAdr=%SERVER%
ToAdr=%RCPTS%
ToAdr=%ADMIN%
Subject=A message from %SENDER% contains a virus.
Body=C:\MSW\CONFIG\VIRUS.TXT
WithLog=TRUE
WithCopy=FALSE

This example will send an inform message to the message recipients and to the administrator, if an incoming mail message was found to contain a virus.

The section cannot be configured with a PerformIf and a SkipIf directive at the same time.

For more details on the SkipIf and PerformIf directives, see page 7-105 and page 7-107 respectively.

Edit

The Edit directive is used to alter the message body as it is delivered to its intended recipients. This automated editing facility can typically be used to:

For example:

[Clean]
Edit=AMEOut
Deliver=
There can be more than one Edit directive listed in the configuration section, for controlling different editing actions.

The value of the Edit directive is the name of a configuration section that controls the edit actions.

For example:

[AMEOut]
PerformIf=direction==out
PrependToBody=C:\MSW\CONFIG\header.txt
AppendToBody=C:\MSW\CONFIG\disclaim.txt

The PerformIf directive controls the circumstances under which the edit actions are performed. The value of the PeformIf directive is an attribute expression.3 If the attribute expression evaluates to TRUE then the edit actions are performed.

In this example, if the value of the direction attribute is out then the edit actions are performed.

There may be more than one PerformIf directive listed in the configuration section:

If there are no PerformIf directives listed then the edit actions are always performed.

The edit actions are controlled by the following two directives:

The value of each directive is the path to a file. This file contains the text that is appended or prepended to the message body.

For example:

PrependToBody=C:\MSW\CONFIG\header.txt
AppendToBody=C:\MSW\CONFIG\disclaim.txt

In this example, the text contained in header.txt is prepended to the message body. The text contained in disclaim.txt is appended to the message body.

Lotus Notes and Exchange systems only. The PrependToBody directive is not available during automated message editing. The directive can still be used but the text will always be appended to the message body.

Lotus Notes systems only. Automated message editing operations cannot be performed on `signed' messages.

SMTP systems only. The default SMTP configuration uses automated message editing to append a disclaimer to all outgoing mail, see page 2-38 for more details, or append a warning message if there are signs of spoofing, see page 5-15 for more details.

Save

The Save directive is used to save a copy of the message for manual intervention. How this message is saved is dependent on the host mail system. It is usually used with the LoadFailure disposal entry.

It is also used if the FailedDisposal disposal entry fails. This could happen, for example, when MAILsweeper has failed to perform the backup disposition correctly, usually due to environmental reasons such as lack of disk space. In this event MAILsweeper uses the Save disposal action as a last resort, to try and save the message for future processing, and then shuts itself down.

The Save directive has no value.

For example:

[FailedLoad]
Save=
Inform=FailedLoadList

Event

The Event directive is used to create an event entry in the Windows NT application event log. The value of the Event directive is the string that is written to the event log.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList
Event=A virus has been detected.

Trap

The Trap directive is used to generate an SNMP trap message to the SNMP Manager. The value of the Trap directive is a string that is sent to the SNMP manager.

For example:

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList
Trap=A virus was detected in the message.

SNMP trap messages are provided as comments in most of the MAILsweeper disposition configuration sections. You can use these by ensuring that the Trap directive in each section is no longer commented out and changing the text, if desired.

For example, change:

[BlockSize]
Inform=SizeList
;Trap=A message was blocked

to:

[BlockSize]
Inform=SizeList
Trap=An incoming message was blocked
The IP address of the SNMP Manager and the SNMP community name are configured in the mail configuration file, MIMESWP.CFG. See page 7-19 for details.

MAILsweeper disposal examples

The default disposal routines created during installation are adequate for most customer configurations.You can extend these if required. This section aims to provide some typical disposal configuration examples that you can adapt to suit the particular requirements of your company.

Adding a new inform list

You may wish to add a new inform list to a disposition configuration section. For example, to inform a sender that a message has been blocked due to virus detection, but not to supply a copy of the message log.

This is achieved by making changes to the original configuration files, as shown below. Changes are shown in bold.

In MIMESWP.CFG

[Virus]
Quarantine=VirusQuarantine
Inform=VirusList
Inform=SenderList

[VirusList]
FromAdr=%SERVER%
ToAdr=%ADMIN%
Subject=A Virus was detected in the message.
Body=C:\MSW\CONFIG\VIRUS.TXT
WithLog=TRUE
WithCopy=FALSE

[SenderList]
ToAdr=%SENDER%
FromAdr=%ADMIN%
Subject=A Virus was detected in your message.
Body=C:\MSW\CONFIG\INFORM.TXT
WithLog=FALSE

A new Inform directive is added to the [Virus] configuration section. The value of the Inform directive is the name of a configuration section that controls the inform actions.

The INFORM.TXT file contains a suitable message. For example: Your message entitled %SUBJECT% has been quarantined.

Automated message editing

The following is an example of automated message editing (AME). It shows the changes required so that:

In AUTHFILE.TXT:

RESPONSE allow_in PRIORITY 1
RESPONSE allow_out PRIORITY 1

FROM *@* 
 TO *@sales allow_in    ;add text to incoming mail

FROM *@sales 
 TO *@* allow_out       ;add text to outgoing mail

Two new AMUcheck rules are defined. These rules determine the <Response> generated by AMUcheck for any sales related message, that is, allow_in or allow_out respectively.

Two new RESPONSE statements are also listed in the first section of the file, to define the allow_in and allow_out <Responses>.

In VALIDATE.CFG:

[AMU]
AuthFile=C:\MSW\CONFIG\AUTHFILE.TXT
If=allow_in,direction=in,allow
If=allow_out,direction=out,allow

The If directive checks the <Response> generated by AMUcheck.

If the <Response> is allow_in or allow_out then an attribute called direction is created, with the value in or out respectively. The <Response> is then reset to allow. This is the actual <Response> generated by AMUcheck. It allows the message to be delivered normally, assuming no higher priority <Response> is returned from one of the other validator instances.

In MIMESWP.CFG:

[Disposal]
DefaultDisposal=Clean
allow=Clean
...
LOADFAILURE=FAILEDLOAD

[Clean]
Edit=AMEIn
Edit=AMEOut
Deliver=

[AMEIn]
PerformIf=direction==in
PrependToBody=C:\MSW\CONFIG\inward.txt

[AMEOut]
PerformIf=direction==out
AppendToBody=C:\MSW\CONFIG\outward.txt

Assume that allow is the highest priority <Response> returned from validation. This gives the message a final disposition of Clean.

The [Clean] disposition configuration section lists two Edit directives. The value of each Edit directive is the name of an editing configuration section that is used to control the message editing actions.

In each editing configuration section, the value of the direction attribute is checked, using the PerformIf directive.

If the value of the direction attribute is in then the actions listed in the [AMEIn] configuration section are performed. This results in the contents of inward.txt being prepended to message body.

If the value of the direction attribute is out then the actions listed in the [AMEOut] configuration section are performed. This results in the contents of outward.txt being appended to message body.

For Lotus Notes and Exchange restrictions see page 7-35.

Releasing `parked' messages

When a message is `parked' in one of the quarantine areas, you can inform the message recipients of the reason for delay when the message is released.

This is achieved by specifying a <Response> in the quarantine area configuration section (using the ReleaseDisposal directive), then utilising automated message editing during disposal of the message.

For example:

In MIMESWP.CFG:

[Parked Messages]
Location=C:\MSW\Qtine\Parked
File=C:\MSW\Qtine\Parked\QUARNTNE.LST
ReleaseTime=21:00-22:00
ReleaseCount=6
ReleaseDisposal=AddMessage

The value of ReleaseDisposal directive specifies the <Response> that is assigned to each message as it is released from the quarantine area. In this example the <Response> is AddMessage.

[Disposal]
DEFAULTDISPOSAL=Clean
...
AddMessage=SizeMessage
...
LOADFAILURE=FAILEDLOAD

The AddMessage <Response> has an entry in the [Disposal] configuration section which determines the final disposition for the message. In this example the final disposition is SizeMessage.

[SizeMessage]
Edit=AddSizeMessage
Deliver=

The [SizeMessage] disposition configuration section lists an Edit directive which controls the automated message editing as each message is released.

The value of the Edit directive is the name of the configuration section that will control the editing actions. In this example the name of the configuration section is [AddSizeMessage].

[AddSizeMessage]
AppendToBody=C:\MSW\CONFIG\size.txt

The contents of the file size.txt are appended to each quarantined message as it is delivered onward to its intended recipients. This file will hold a suitable explanation for the reason for delay. For example: Delivery of this message has been delayed due to its large size.

WEBsweeper disposal actions

WEBsweeper disposal actions are controlled by the following directives:

If Web data is blocked it is always deleted, regardless of the blocking reason.

Deliver

The Deliver directive informs WEBsweeper to send the data to the Web browser, without alteration. This directive requires no value.

For example:

[Clean]
Deliver=

InformText

The InformText directive informs WEBsweeper to block the data and send a notification message to the Web browser instead.

For example:

[Virus]
InformText=Page blocked - virus detected.

The value of the InformText directive is a text string.This text string should not contain any commas. The string represents the message that is sent to the Web browser and is inserted into an HTML template, shown on page 7-44.

You would normally use the InformText directive for short, one line messages. Use InformFile for larger messages, or messages containing links to other resources.

InformFile

The InformFile directive informs WEBsweeper to block the data and send a notification message to the Web browser instead.

For example:

[ScriptMail]
InformFile=C:\MSW\CONFIG\ScriptMail.txt

The value of the InformFile directive is the location of a replacement file that contains the message text. The text is inserted into the HTML template, shown below.

The replacement file can be written in HTML. This makes it is easy to generate documents that contain links to other resources.

HTML template

The messages specified by the InformText and InformFile directives are inserted into the following template.

<HTML> 
<HEAD>
<TITLE> WEBsweeper Notice </TITLE>
</HEAD>
<BODY>
<H1> WEBsweeper Notice</H1>

Your message text is inserted here.

</BODY>
</HTML>


[Top] [Prev] [Next] [Bottom]



1 The VIRUSPRESENT <Response> is used to indicate that a virus has been detected in the data.

2 The direction attribute is usually set by AMUcheck, using the If directive. See page 7-102 for details.

3 This attribute expression is usually set by AMUcheck, using the If directive. See page 7-102 for details.

msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.