Content Dictionary with Regular Expressions not working for Header Only?

Forum|Forum|5 years ago
March 9, 2021
1 reply
6208 views

Has anyone else had issues with content dictionary using regular expression detecting phases from the body of the message instead of just the header? I have a regular expression written to look for forged from: headers in the messages, and it seems to be working correctly, but it's also flagging on all messages that generate bouncebacks from remote servers. So my theory is that the regex is being run against the body of the message as well. Or perhaps the fortimail is considering the body of a bounceback message to also be the header.

I have a case open with support but was curious if anyone else has run into this.

Jjchen_FTNT

Staff

Hello, did you choose "Search header" only for the regex entry? You can post ticket number so that I can help take a look.

Jeff_RobackAuthor

New Member

Hi there, yes, I have Header true, Body false for the dictionary entry. For the Content profile, I don't have scan enabled for PDF/MSOffice or Archive.

My Ticket number #4753208. I have our full config uploaded there as well as sample emails that are triggering the dictionary match unexpectedly.

Thanks for having a look!

Jjchen_FTNT

Staff

Hi Jeff,

I checked your email sample, it's the email attachment in bounce email that triggers regex header search. The attachment is an email, so its header is checked.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded