6.9 ORF Online Help
Select your ORF version:

Table of Contents

Keyword Filter Properties


Filter Properties Tab

Search scope

The search scope specifies where to look for the keyword expression. Select Email Body to search in the email body exclusively or select Email Subject and Body to search in both the subject and body. Select Header to limit the search scope to a specific header field.

ORF decodes the HTML email parts into simple text. Set the Body Raw HTML Source checkbox if want you to search in the raw HTML code instead of the decoded text.

The Email Header (raw MIME) scope limits the search to the raw email header (see notes). Set this checkbox if you want to create a filter expression for matching encoded header content.

Comment

Add an optional comment to the filter expression. This comment is logged when the filter expression causes a hit, on email whitelisting or blacklisting. Helpful when you have to know which expression caused the hit.

Filter Expression Tab

Keyword/regular expression edit box

Enter the keyword or regular expression here. Note that the edit box is fully Unicode-enabled, so you can enter non-ANSI characters (e.g., Cyrillic, Korean or Chinese) here.

Expression type

Select the keyword filter expression type.

Case sensitivity

Set the Expression is case-sensitive checkbox if case-sensitive matching has to be used.

Match words (simple keywords only)

Select the match options for the keyword.

Testing the expression

Test your expression using the Test text edit box. If the test box contents match with the mask, a green "Match" label appears on the right side of the test box.

Notes

Email parts

ORF checks every MIME part in the email with MIME content type of text/plain and text/html. Other types of MIME parts are not checked. Attachments (either with "inline" or "attachment" content disposition) are also not checked, even if they have the content types above.

Decoding email headers and body parts

Email parts are decoded from the transfer encoding (e.g., quoted-printable or BASE64) to Unicode text. MIME-encoded header fields are decoded into Unicode. Contents of HTML emails are decoded into simple text by removing the HTML tags from the email. Line ends (CRLF) are replaced with whitespace (ASCII code 32) characters, so both the body filters and header filters work with a single line.

"Raw MIME" Email Header Filter Notes

Email header fields are formatted as FieldName: Value, e.g., X-Spam-Status: YES. The best way to filter on a header field-value combination is to use a regular expression as

.*^FieldName:\x20*Value\x20*([\r\n]|$)

for example

.*^X-Spam-Status:\x20*YES\x20*([\r\n]|$)

The above expression will match only if

  • the X-Spam-Status field starts at the beginning of the email header or in a new line
  • there are zero or more space characters between the field name and the value
  • there are no trailing characters in the line after the expected value, other than zero or more space characters

Without properly describing a header field, like in the example above, you may run into false matches and thus false positives.

The "raw MIME" header filter works with multi-line text, instead of text converted into a single line like header and body text filters do. Take this into consideration when filtering for multi-line header fields. For example, using .* in a regular expression to match "any characters, any number of repetitions" will match line breaks as well. To limit the scope of the expression to a single line, you should use [^\r\n]* instead, which matches "any character except for line breaks, any number of repetitions".

Character set support

Some character sets are not supported and filtered. See the Limitations section for more information.

Copyright © Vamsoft Ltd. 2024. All rights reserved. Document ID adm-kwdfiltereditor, version 2.