Hello,
Please see below, i created a filter under content filtering to block any incoming email that has an HTML attachment. it's now for some reason blocking a lot of emails from many senders. although they are either allowed senders or just the body has an html link? not sure what's happening but here's an image of how i blocked the file type attachment and how it's blocking messages we dont want them blocked. can someone help please? I think these are html links in the body but not attachments. not sure why it's blocking them.
it shouldn't block it like below just because it's text/html. the attachment wasn't html.
So, how we do attachments is using regex since there is a lot of attachments that the ESA doesn't have.
We do the file info, the filename ends with:
\.(7z|acea|ade|adp|bas|bat|cab|chm|cmd|com|cpl|crt|daa|exe|hlp|hta|img|inf|ins|iqy|iso|isp|jar|js|jse|lnk|lzh|mdb|mde|msc|msi|msp|mst|one|pcd|pif|ppsx|r[0-9][0-9]|rar|reg|rev|scr|sct|shb|shs|tbz|url|uue|vb|vbe|vbs|wsc|wsf|wsh|z)
We don't do HTML yet, we send those for scanning, but I want to do the same if my security will give us the go-ahead.
Now, to do the exception, you would need to beak out into a different content filter as instead of an any, would need to match all.
So:
condition 1) match file extension type to remove.
condition 2) File name does not equal message.html or whatever you see that should be allowed.
With an all, you can set more conditions since all will need to match to strip.
Now, a bad actor could use the same filename, so if you have file analysis, you could set html to be uploaded for scanning also. but that depends on your licensing.
What we do is anything stripped we send to a box we monitor so we have the original email before stripping the attachments. This way if it is a false positive, we can look and verify before sending it along.
Hope that makes sense
