Lists

Praetor has one in-line and three different internal system text string lists that are used by various conditions available for your selection with any rule, each with varying degrees of complexity and capabilities:

Simple in-line lists
Normal string lists
Complex checked lists with enable/disable box
Weighted words lists with numeric value used for scoring

In addition, each list has different types of searching that may be performed.

Praetor also provides the ability for administrators to create new string lists of the three non in-line type: normal, complex, and weighted. These are used by a special condition that permit you to choose what message header field or body to search and a particular list. Click here to learn how to create your own lists.

For a summary table of Praetor lists with information of what message field(s) are tested, click here.

Populating the lists can be performed using the list import facility either in the administration program or the MODLISTG2 command-line utility.

In-line list

This type of string list is normally associated with conditions bearing the phrase "with specific words". This type provides an easy way for you to quickly create a unique rule that tests for certain strings only associated with that particular condition. Examples include testing for subject matter with a particular string such as confidential code names or terminology in order to perform a very specific action like re-directing the message to a security compliance officer.

While the method of entry has some similarities for data entry to the other two list types, there are some basic differences which can be seen below.

In viewing the above screen, the string entered in the dialog box "ntm-dl.sparklist.com" appears in the rule description. This is a visible difference with the other two list types which don't show the contents as part of the rule description. Had there been more than one string, the list would have appeared on a line as:

with "string-1" or "string-2" or ...

Normal string list

Most lists that are predefined by CMS will appear as a normal list. Visually, the dialog box for this list data entry appears different from that used by an in-line list with the list name that appears as the window name. Furthermore, within the Rule Description area, what appears is merely the list name and not the contents of the list itself.

This list type can accommodate numerous entries, unlike the in-line list which become rather cumbersome when there are more than a handful of entries. By default, Praetor comes pre-installed with several such lists including the following.

Approved Message Level Senders
Banned Attachments
Banned Confidential Information
Banned Message Text
Banned Profanity
Banned Subject
Banned Virus Subject Text
Bulk Mail Program Signatures
Suspected Virus Message Text
Suspicious attachments

Complex checked string list

The complex list is the type with an enable/disable checkbox in the data entry dialog box. This type of list allows you to add an entry but temporarily exclude it from the search. This feature is useful for those items that might fluctuate. Like the normal list, this one has the data entry window name that is the same as the list name. Also like the normal list, the Rule Description area refers to the list by name and not by value.

This list type can also accommodate numerous entries, just like a normal list and unlike the in-line list. By default, Praetor comes pre-installed with several such lists including the following.

Approved Message Level Domains
Banned Senders
Banned Domains
Banned Recipients
Competitors' Domains
Former Employees

The available lists are shown on the text list screen.

Weighted words list

This is a new list type introduced in Praetor G2 to give (case-insensitive) words or phrases a weight value. These weights are used to compute an overall score for the message, and if that score exceeds a given threshold set for the list, then the rule condition is triggered. The score is computed by summing each weight multiplied by the number of times the word/phrase was found in the message body.

This type of list includes the following:

Drug solicitation
Sex-related
Nigerian 419 advanced fee fraud

Search Types

Each Praetor list can be searched using a different search type as explained below. Note that each entry is the string that is being searched within the search target field such as subject, message body, etc.

Selecting to match the case will make each search type even more specific.

Search Type	Usage
Substring	When matching the list entry within the target field, a partial match is sufficient to trigger the condition in the affirmative.
Full string	The between list entry and target must be complete, matching character for character.
Match whole word	Like the substring, a match is found if the list entry is part of the target field at the beginning or end or the field, even if there is a preceding or trailing punctuation character as follows: blank space ( ) comma ( , ) tab semi-colon ( ; ) colon ( : ) period ( . ) question mark ( ? ) exclamation point ( ! ) back slash ( \ ) single quote ( ' ) double quote ( " ) less than sign ( < ) greater than sign ( > ) forward slash ( / )
Wildcard	When enabled, this causes the appearance of certain characters in the search entry to be treated as wild. Specifically the characters that are considered "wild" or placeholders for any other character are: ? - represents any single alphabetic character, # - represents any single numeric digit, * - represents multiple characters, alphabetic or numeric. If this type is not enabled, then these special characters are just treated as individual characters that must be found in the target field to cause a match. If you want to perform a wildcard search for a string that includes these special characters, then you must data escape the special character by preceding it with a back-slash. Example: "Get yours \FREE\" means: "Get yours FREE" will match on: "Get yours FREE" will NOT match on: "Get yours FREE"

Examples (without requiring to match case)

The 'Y' indicates that the search found a match when the given search type was used to find the entry within the target field.

When search type is enabled

Entry	Target Field or Entry comments if italicized	Sub- string	Full String	Whole word	Wild-card
Thank you	Purely text string
	Just wanted to thank you!	Y		Y
	Thank you	Y	Y	Y	Y
	Thank you!	Y		Y
	Please thank your friend for me	Y
	Hi! THANK YOU very much	Y
	THANK YOU, it was most kind of you	Y		Y

Thank you	Text string with asterisk character preceding and trailing. This character only takes special meaning if wildcard type of search is being performed. For all other search type, the asterisks are just part of the string to be matched.
	Just wanted to thank you!				Y
	Thank you				Y
	Thank you!				Y
	Please thank your friend for me				Y
	Hi! THANK YOU very much	Y	Y	Y	Y
	THANK YOU, it was most kind of you				Y

Thank you*	Text string with trailing asterisk character, which is interpreted as being wild only for wildcard searching. For all other search types, the asterisk is simply another character.
	Just wanted to thank you!				See note
	Thank you				Y
	Thank you!				Y
	Please thank your friend for me				See note
	Hi! THANK YOU very much	Y			See note
	THANK YOU, it was most kind of you				Y

Note:

The use of wildcards may be a bit confusing, especially when the list entry is "Thank you*" and the target field is "Just wanted to thank you!", "Please thank your friend for me", or "Hi! *THANK YOU* very much". You might think that performing a wildcard search should find a match. The reason it does not is simple - the wildcard search would only find a match if "thank you" were to be found at the beginning of the line due to the lack of a preceding asterisk on the list entry.

So, if your intention is to let "thank you" appear anywhere in the target field, then your list entry needs to start and end with an asterisk when using a wildcard search type.

Warning:

CMS strongly recommends against changing the search type found on the lists dealing with banned attachments and suspicious attachments. The search type should be left as wildcard search on these two lists. Changing the search type to anything other than wildcard may cause Praetor to miss certain attachments, making your site vulnerable to virus infections that get past Praetor!

Summary table of Praetor lists

Note:

Note that lists that use the word "accepted" in its name indicate that it is used by the SMTP protocol level tests before the message is ever received completely. When the list name has the word "approved", it indicates one that is used by the message level rules.

SMTP protocol level

List name
(as used by MODLIST tool)

Message field tested

Comments

DNSBL Bypass

session IP

Used to specify IP addresses in spite of being blacklisted by the DNSBL server.

Received header IP

session IP

Used to list trusted IP addresses found in the Received message header lines to determine the first external IP address. This first external IP address will be used for DNSBL testing.

Message level

List name	Message field tested	Comments
_approved_senders	821 From From Sender	Requires complete email address.
_suspicious_senders	821 From From Sender	Requires complete email address. This list is used by the message level rule as the equivalent to what the SMTP protocol level test against the _banned_senders list. The rule will quarantine mail sent by the listed address entries.
_competitors_domains	821 To To Cc	Checks the domain portion of the destination address and is used for outbound mail.
_approved_domains	821 From From Sender	Checks the domain portion of the sender's address and used to accept the message if it matches an entry in this list.
_suspicious_domains		Checks the domain portion of the sender's address and used to quarantine the message if it matches an entry in this list.
_banned_subject	Subject	Checks for inappropriate subject matter. This list is pre-populated by CMS with phrases used in spam.
_banned_msgtext	Message body	Checks for inappropriate message body text. This list is pre-populated by CMS with phrases used in spam.
_banned_recipients	821 To To Cc	Requires complete email address.
_former_employees	821 From From Sender 821 To To Cc:	Requires complete email address.
_banned_attachments	Attachment name	Known virus-infected attachment names and name patterns. This list is pre-populated by CMS with known virus attachments.
_suspicious_attachments	Attachment name	Attachment names and name patterns that will be quarantined. This list is pre-populated by CMS with attachments extensions and file name patterns that are potentially harmful.
_banned_profanity	Subject Message body	Inapproriate language that will quarantine. This list is pre-populated by CMS.
_virus_banned_msgtext	Message body	Message body text associated with known virus-infected email. This list is pre-populated by CMS with known virus signatures.
_virus_banned_subject	Subject	Subject text associated with known virus-infected email. This list is pre-populated by CMS with known virus signatures.
_bulk_mail_program_signatures	X-Mailer	Identifiable mailer signatures. This list is pre-populated by CMS.
_banned_confidential_info	Subject Message body	Company confidential words or phrases found will cause message to be quarantined.
_approved_listserver_addresses	821 From: From Reply-To	Known listserver email addresses to let pass filtering.
_approved_local_address	821 To	Used as a countermeasure against the reverse NDR attack, this list contains all valid local recipient addresses.
_suspicious_friendlynm_senders	821 From From Sender	Friendly name found in double-quotes on the address line.