Messages can be filtered based on their content in Gateway > Policies > Content Examination.














The word/phrase match list has to be configured according to the specifications in the (?) info bubble, otherwise the policy will fail. If you need to use Regular Expressions, here's a good resource:


https://medium.com/factory-mind/regex-tutorial-a-simple-cheatsheet-by-examples-649dc1c3f285 


After filling out the word/phrase match list, it's a good idea to click the "Test Definition" button to check if your syntax is correct.





In this example, any email with the phrase "executivedirector" in the message header will be blocked, because that phrase has a weight of 1, and this policy will be triggered with a score of 1. 


I blocked this phrase because we've been getting a pattern of emails of the form executivedirector0000@gmail.com where executivedirector is appended with four numbers. 


Mimecast only supports wildcards at the beginning of an email address, not the middle or end, so rather than upload a spreadsheet manually blocking 10,000 variants of this address, I instead created this content examination policy. In theory, this should have the same effect.





Remember to scroll down and choose a Policy Action and click Save, otherwise your policy definition will do nothing.





Then Select your "content definition" to apply it to your "content examination policy".


It's sufficient to apply this from Everyone, to "Email Domain" dwu.edu.




Double-check that the policy is not overly restrictive.


Finally, click Save and Exit.