Solved: Block some attachments

flyok · ‎05-14-2018

Hi,

I want to reject emails with some attachments (EXE, COM, DLL, scripts, etc.) but just only quarantine emails with this files in compressed packages (ZIP, RAR etc.)

How can I do that. I've made an "incoming Content Filter", but there is only e few "executables" filetypes and I don't know how to make an exception for compressed packages.

Thanks.

flyok · ‎05-31-2018

I made a dictionary with recommended extensions (\.ade$, \.adp$, \.bas$, \.bat$, ... ) and used it in two content filters:

1. "attachment-filename-dictionary-match" and "attachment-filetype != "Compressed"". action: Notify sender and drop the messge

2. "attachment-filename-dictionary-match" and "attachment-filetype = "Compressed"", action: Quarantine and notify administrator.

View solution in original post

Libin Varghese · ‎05-16-2018

Since the ESA looks inside compressed files for executables as well, adding a condition for the above may not work as expected.

You can certainly try a filter with two conditions

attachment-filetype is Executables

and

attachment-filetype is Compressed

However, this may not work correctly if an email has multiple attachments (one compressed pdf and one dll)

flyok · ‎05-31-2018

I made a dictionary with recommended extensions (\.ade$, \.adp$, \.bas$, \.bat$, ... ) and used it in two content filters:

1. "attachment-filename-dictionary-match" and "attachment-filetype != "Compressed"". action: Notify sender and drop the messge

2. "attachment-filename-dictionary-match" and "attachment-filetype = "Compressed"", action: Quarantine and notify administrator.