cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1624
Views
10
Helpful
2
Replies

Change unscannable attachment AV behavior for specific mail servers

Evan M
Level 1
Level 1

My default Mail Policies for Anti-Virus are set to quarantine attachments are unscannable, which is acceptable for 99% of the senders I receive mail from.  However, I have a few vendors who will randomly send me unscannable attachments (PDF) due to different employees using different products to generate the PDF where sometimes they can be scanned and other times they cannot.

I'd like to change the behavior of unscannable attachments for these senders.  I know I can do this with a new Mail Policy set to target the senders email addresses/domain and the associated AV actions set to deliver unscannable items.  However, this are susceptible to spoofing of the email address and could allow unscannable attachment to be delivered from an untrusted source.  So, I would like to add another layer of checking, the mail server IP.  The vendors in questions run their own dedicated mail servers and are not on a shared mail service.

So I was thinking I can still create a new Mail Policy to target the sender email addresses/domains, but set the unscannable action to add a custom header (ie. X-AV-UNSCANNABLE) .  Create an Incoming Content Filter that looks for the X-AV-UNSCANNABLE customer header AND checks that "Remote IP/Hostname" is NOT one of the IP's I want to allow unscannable attachments.  Set the action to drop attachments and quarantine.  Apply this Incoming Content Filter to the Mail Policy that targets these specific email addresses/domain.

This combination would thus drop/quarantine attachments if someone is spoofing a trusted vendor email address/domain and sends an unscannable attachment.  Since this content filters would only ever apply in the first place if the envelope sender is a trusted vendor, it should minimize processing load.

The one quirk in this idea that I've found so far is that "Remote IP/Hostname" cannot take a dictionary list and only accepts 1 entry.  This would require me to create 1 content filter per remote mail server IP/hostnamae and stack those content filters on the associated mail policy.  Right now this only impacts 2 vendors so only 2 content filters, but there is possibility for this to grow over time.

Does this sound like it will do what I want it to do?  Any concerns with additional load from this? (I use Cisco Hosted Email Security, not on-prem appliances).  Other concerns?  Better ways to do this?  Am I being too paranoid?

2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

Hi Evan,

You did answer your inital query correctly.

Creating a new incoming mail policy based on email address/domain and then using content filters to check the sender remote IP/hostname should accomplish the task.

The remote-IP condition currently does not allow usage of dictionaries, however theoretically the below could be used as a workaround.

First Filter
Add action: Add/Edit Header
Header Name: X-Sender-IP (could be anything)
Specify Value for New Header: $RemoteIP (This is an action variable that gets the sender IP value)

Second Filter
Conditions:
Other Header: X-AV-UNSCANNABLE (Exists)
Other Header: X-Sender-IP (Dictionary Match)

Action:
Quarantine/Drop

Could you check if this works for your current requirement.

Thanks
Libin Varghese

Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: