21-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Configuring Inspection Maps for Zone-based Firewall Policies
• Body Regular Expression—Applies a regular expression to match the content types and content
encoding types for text and HTML in the body of an e-mail message. Only text or HTML that uses
7-bit or 8-bit encoding is checked. The regular expression cannot be scanned in messages that use
another encoding type (such as base64 or zip files).
• Command Line Length—Specifies that the length of the ESMTP command line not be greater than
the specified number. Use this to thwart Denial of Service (DoS) attacks.
• Command Verb—Limits inspection to the selected SMTP or ESMTP command. If you configure
inspection for SMTP, all commands are inspected unless you limit them.
• Header Length—Specifies that the length of the SMTP header is greater than the specified number.
Use this to thwart DoS attacks by limiting the possible size of the header.
• Header Regular Expression—Applies a regular expression to match the content of the header of an
e-mail message. For example, you can use this to test for particular patterns in the subject, from, or
to fields.
• Mime Content-Type Regular Expression—Applies a regular expression to match the Multipurpose
Internet Message Exchange (MIME) content type of an e-mail attachment. Use this to prevent the
transmission of undesired types of attachments.
• Mime Encoding—Specifies the MIME encoding type for e-mail attachments that you want to
inspect. You can use this to identify unknown or non-standard encodings to restrict their
transmission.
• Recipient Address—Applies a regular expression to match the recipient of an e-mail message in the
SMTP RCPT command. Use this to search for a non-existent recipient, which might help you
identify the source of spam.
• Recipient Count—Specifies that the number of recipients for an e-mail message cannot be greater
than the specified number. Use this to prevent spammers from sending e-mails to a large number of
users.
• Recipient Invalid Count—Specifies that the number of invalid recipients for an e-mail message
cannot be greater than the specified number. Use this prevent spammers from sending e-mails to a
large number common names, where they are fishing for real addresses. SMTP typically replies with
a “no such address” message when an address is invalid; by putting a limit on the number of invalid
addresses, you can prevent these replies to spammers.
• Reply EHLO—Specifies the service extension parameter in an EHLO server reply. Use this to
prevent a client from using a particular service extension.
• Sender Address—Applies a regular expression to match the sender of an e-mail message. Use this
to block specific senders, such as known spammers, from sending e-mail messages through the
device.
Navigation Path
From the Add or Edit Class Maps dialog boxes for SMTP classes, right-click inside the table and select
Add Row or right-click a row and select Edit Row. See Configuring Class Maps for Zone-Based
Firewall Policies, page 21-17.
Related Topics
• Understanding Map Objects, page 6-72
• Configuring Inspection Maps for Zone-based Firewall Policies, page 21-15
• Understanding the Zone-based Firewall Rules, page 21-3
