Sign in
 
HomeLibraryLearnDownloadsSupportForums
Forefront Server Security TechCenter > Forefront Server Security Forums > Antigen > Keyword Filtering Message Body and Wildcards
Ask a questionAsk a question
Search Forums:
 

AnswerKeyword Filtering Message Body and Wildcards

  • Friday, January 16, 2009 2:48 PMMacros_1 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I've been trying to figure out a method of filtering out various messages that seem to make it through our SpamCure filter.  I've created keyword filters that seem to be successful most of the time, but messages that match the filter continue to make it through.  If I create a keywork filter for say @t, can I add wilcards (which work in the subject line filters) for matching a word like c@t, @tom, or c@ts?  I've tried adding a filter like *@t* but it doesn't seem to work the same way as the subject line and doesn't get any hits.

    So I guess the question is, are there wildcard characters for Message Body keyword filtering?

    Any help is appreciated.

    Thank you! 
     

Answers

  • Friday, January 16, 2009 5:41 PMJohn Castillo - MSFT Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
     - There is NO (*) wildcard for the keyword filter rules
    - I've included a list of rules that the Keyword Filter allows from the User Manual

    http://technet.microsoft.com/en-us/library/bb914046.aspx

    About keyword list syntax rules

    The following are the syntax rules for a keyword list:

    • Each item (line of text) is considered a search query.
    • Queries use the OR operator. It is considered to be a positive detection if any entry is a match.
    • Queries may contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:
      • _AND_ (Logical AND). For example, apple•_AND_•orange juice
      • _NOT_ (Negation). For example, apple•_AND__NOT_•juice.
      • _ANDNOT_ (Same as _AND__NOT_). For example, apple•_ANDNOT_•juice
      • _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example, free•_WITHIN[10]OF_•offer. (If "free" is within 10 words of "offer," this query will be true.)
      • _HAS[#]OF_ (Frequency). Specifies the minimum number of times that the text must appear for the query to be considered true. For example, _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query will be true. This operator is implicitly assumed and has a default value of 1 when it is not specified.
      • Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest):
        1) _WITHIN[#]OF_
        2) _HAS[#]OF_
        3) _NOT_
        4) _AND_
        This precedence cannot be overridden with parentheses.
    • The logical operators must be entered in uppercase letters.
    • Phrases can also be used as keywords (for example, "apple juice" or "get rich quick").
    • Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) will be treated as one blank space for matching purposes. For example, A••••B will be treated as A•B and will match the phrase A•B.
    • In HTML encoded message texts, punctuation (any nonalphanumeric character) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> will match <html>, but not html.



    John
    • Marked As Answer byMacros_1 Tuesday, January 20, 2009 8:56 PM
    •  
     

All Replies

  • Friday, January 16, 2009 5:41 PMJohn Castillo - MSFT Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
     - There is NO (*) wildcard for the keyword filter rules
    - I've included a list of rules that the Keyword Filter allows from the User Manual

    http://technet.microsoft.com/en-us/library/bb914046.aspx

    About keyword list syntax rules

    The following are the syntax rules for a keyword list:

    • Each item (line of text) is considered a search query.
    • Queries use the OR operator. It is considered to be a positive detection if any entry is a match.
    • Queries may contain operators that separate text tokens. Such queries are called expressions. The following logical operators are supported. There must be a space between an operator and a keyword, represented in the examples by the • character:
      • _AND_ (Logical AND). For example, apple•_AND_•orange juice
      • _NOT_ (Negation). For example, apple•_AND__NOT_•juice.
      • _ANDNOT_ (Same as _AND__NOT_). For example, apple•_ANDNOT_•juice
      • _WITHIN[#]OF_ (Proximity). If the two terms are within a specified number of words of each other, there is a match. For example, free•_WITHIN[10]OF_•offer. (If "free" is within 10 words of "offer," this query will be true.)
      • _HAS[#]OF_ (Frequency). Specifies the minimum number of times that the text must appear for the query to be considered true. For example, _HAS[4]OF_•get rich quick. If the phrase "get rich quick" is found in the text four or more times, this query will be true. This operator is implicitly assumed and has a default value of 1 when it is not specified.
      • Multiple _AND_, _NOT_, _HAS[#]OF_, and _WITHIN[#]OF_ operators are allowed in a single query. The precedence of the operators is (from highest to lowest):
        1) _WITHIN[#]OF_
        2) _HAS[#]OF_
        3) _NOT_
        4) _AND_
        This precedence cannot be overridden with parentheses.
    • The logical operators must be entered in uppercase letters.
    • Phrases can also be used as keywords (for example, "apple juice" or "get rich quick").
    • Multiple blank spaces (blank characters, line feed characters, carriage return characters, horizontal tabs, and vertical tabs) will be treated as one blank space for matching purposes. For example, A••••B will be treated as A•B and will match the phrase A•B.
    • In HTML encoded message texts, punctuation (any nonalphanumeric character) is treated as a word separator similar to blank spaces. Therefore, words surrounded by HTML tags can be properly identified by the filter. However, note that the filter <html> will match <html>, but not html.



    John
    • Marked As Answer byMacros_1 Tuesday, January 20, 2009 8:56 PM
    •  
     
  • Tuesday, January 20, 2009 8:56 PMMacros_1 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Thank you John for the response.  I saw those details within the help files but no reference to wildcards, so I was hoping that I had missed something.  While that wasn't the answer I was hoping for, I appreciate the information.