The search scope specifies where to look for the keyword expression. Select Email Body to search in the email body exclusively or select Email Subject and Body to search in both the subject and body. Select Header to limit the search scope to a specific header field.
ORF decodes the HTML email parts into simple text. Set the Body Raw HTML Source checkbox if want you to search in the raw HTML code instead of the decoded text.
The Email Header (raw MIME) scope limits the search to the raw email header (see notes). Set this checkbox if you want to create a filter expression for matching encoded header content.
Add an optional comment to the filter expression. This comment is logged when the filter expression causes a hit, on email whitelisting or blacklisting. Helpful when you have to know which expression caused the hit.
Enter the keyword or regular expression here. Note that the edit box is fully Unicode-enabled, so you can enter non-ANSI characters (e.g., Cyrillic, Korean or Chinese) here.
Select the keyword filter expression type.
Set the Expression is case-sensitive checkbox if case-sensitive matching has to be used.
Select the match options for the keyword.
Test your expression using the Test text edit box. If the test box contents match with the mask, a green "Match" label appears on the right side of the test box.
ORF checks every MIME part in the email with MIME content type of text/plain and text/html. Other types of MIME parts are not checked. Attachments (either with "inline" or "attachment" content disposition) are also not checked, even if they have the content types above.
Email parts are decoded from the transfer encoding (e.g., quoted-printable or BASE64) to Unicode text. MIME-encoded header fields are decoded into Unicode. Contents of HTML emails are decoded into simple text by removing the HTML tags from the email. Line ends (CRLF) are replaced with whitespace (ASCII code 32) characters, so both the body filters and header filters work with a single line.
Email header fields are formatted as FieldName: Value, e.g., X-Spam-Status: YES. The best way to filter on a header field-value combination is to use a regular expression as
for example
The above expression will match only if
Without properly describing a header field, like in the example above, you may run into false matches and thus false positives.
The "raw MIME" header filter works with multi-line text, instead of text converted into a single line like header and body text filters do. Take this into consideration when filtering for multi-line header fields. For example, using .* in a regular expression to match "any characters, any number of repetitions" will match line breaks as well. To limit the scope of the expression to a single line, you should use [^\r\n]* instead, which matches "any character except for line breaks, any number of repetitions".
Some character sets are not supported and filtered. See the Limitations section for more information.