cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4206
Views
0
Helpful
10
Replies

ESA content filter

marcomeneses
Level 1
Level 1

Hi all,

I have content filter that drop inbound email that contains images files attachments(.gif, .png, .mpeg, .bmp, mpeg).

This filter also block logo in email signature.

When Microsoft outlook users send emails, the email logo signature is sent as attachment named image001, image002, image00n and the attachment is blocked by ESA.

How can i drop image files (.gif, .png, .mpeg, .bmp, mpeg) but allow specific filename (image001.gif, image002.gif)?

Thanks,

Marco 

10 Replies 10

Mathew Huynh
Cisco Employee
Cisco Employee

Hello Marco,


As you're using content filters you'll need to create an additional filter to put it 'on top' of the block one.

The top filter will be if attachment filename -> equals -> (image001\.gif|image002\.gif)

Action -> Skip Remaining Content Filters

And deploy this filter.

Ensure that this filter is ontop of the drop image file filter in terms of the order.

It will be best to keep these two filters last within the content filter list.

I hope this helps.

Matthew

Hi Matthew

Your filters works with single attachment (image001.gif) and does not work with Multiple Attachments.

For example, when an email message arrives that has multiple attachments, one that should be allowed (image001.gif) and another that should be droped or quarantined (abcd.gif), the filter identifies the entire message as allowed. Both attachments (image001.gif and abcd.gif) are delivered to the recipient.

Thanks

Marco

Hello Marco,

The ESA does not have an attachment count mechanism available so it will be able to determine if the email contains more attachments than just the signature.

I am trying to see if there is an alternative method and i will share it.


Regards,

Matthew

Hello Marco,

I was unable to get a filter to function the way you're looking for with the availabilities of the ESA's filter actions.


I would suggest to open a TAC case if you would like further alternatives if any is available, however I do not think there is an option available at this point.


Regards,

Matthew

Could you use a regex to specify the file name (Attachment File Info)  like image0*.gif?  That would allow for multiple files. Or you could create a Content Dictionary with all the allowed attachment file names.

Hey David,

I thought about that but it still hits the issue that.

As long as the email contains an image called image001.jpg (or one that matches that syntax) everything else in the email even if it may have other emails, will pass the filter as well.


I was attempting to use an If and else rule, but it still didn't work as per expection.

The every-attachment-contains rule also did not work as it looks into the body of the attachment for a string to match against.

Regards,

Matthew

How about some logic like:

if email has no image attachments - skip remaining filters

if email has an attachment file name not in regex image0*.gif - drop

Hey David,

(Haven't had any luck with identifying one attachment over another at the moment)


I was tossing up some rules as well which may do this but say the email came with:

image0.gif and virus.zip

First filter can work, as an attachment exist, so no filter will be skipped.

However the regex will allow this entire email to pass as.

image0.gif -> exists.

Filter bypassed.

If it was just virus.zip, then it will be dropped as expected.

Testing:

test_filter_image:
if attachment-filename !="image001.jpg"
{
drop();
}
.

Test email, contains image001.jpg

Passes as expected.

Thu Dec 17 11:12:19 2015 Info: MID 660 ICID 2985 From: <matt@lee.com>
Thu Dec 17 11:12:19 2015 Info: MID 660 ICID 2985 RID 0 To: <matt@testlab.com>
Thu Dec 17 11:12:22 2015 Info: MID 660 Message-ID '<op.x9rimcfcx5s189@matttestlab>'
Thu Dec 17 11:12:22 2015 Info: MID 660 Subject 'Does not get dropped'
Thu Dec 17 11:12:22 2015 Info: MID 660 ready 265225 bytes from <matt@lee.com>
Thu Dec 17 11:12:22 2015 Info: MID 660 attachment 'image001.jpg'
Thu Dec 17 11:12:22 2015 Info: MID 660 matched all recipients for per-recipient policy Matt_test in the inbound table
Thu Dec 17 11:12:22 2015 Info: ICID 2985 close
Thu Dec 17 11:12:24 2015 Info: MID 660 interim verdict using engine: CASE spam negative
Thu Dec 17 11:12:24 2015 Info: MID 660 using engine: CASE spam negative
Thu Dec 17 11:12:24 2015 Info: MID 660 interim AV verdict using Sophos CLEAN
Thu Dec 17 11:12:24 2015 Info: MID 660 antivirus negative
Thu Dec 17 11:12:24 2015 Info: MID 660 AMP file reputation verdict : UNSCANNABLE
Thu Dec 17 11:12:24 2015 Info: MID 660 using engine: GRAYMAIL negative
Thu Dec 17 11:12:24 2015 Info: MID 660 Outbreak Filters: verdict negative

Sent with image001.jpg and virus.zip --> passes (Not what we wanted), Marco would like to quarantine/drop  virus.zip but pass the email with image001.jpg

Thu Dec 17 11:15:05 2015 Info: Start MID 661 ICID 2986
Thu Dec 17 11:15:05 2015 Info: MID 661 ICID 2986 From: <matt@lee.com>
Thu Dec 17 11:15:05 2015 Info: MID 661 ICID 2986 RID 0 To: <matt@testlab.com>
Thu Dec 17 11:15:05 2015 Info: MID 661 Message-ID '<op.x9riqyb3x5s189@matt.testlab.com>'
Thu Dec 17 11:15:05 2015 Info: MID 661 Subject 'Passes as well'
Thu Dec 17 11:15:05 2015 Info: MID 661 ready 577132 bytes from <matt@lee.com>
Thu Dec 17 11:15:05 2015 Info: MID 661 attachment 'image001.jpg'
Thu Dec 17 11:15:05 2015 Info: MID 661 attachment 'virus.zip'
Thu Dec 17 11:15:05 2015 Info: MID 661 matched all recipients for per-recipient policy Matt_test in the inbound table
Thu Dec 17 11:15:07 2015 Info: MID 661 interim verdict using engine: CASE spam negative
Thu Dec 17 11:15:07 2015 Info: MID 661 using engine: CASE spam negative
Thu Dec 17 11:15:07 2015 Info: MID 661 interim AV verdict using Sophos CLEAN
Thu Dec 17 11:15:07 2015 Info: MID 661 antivirus negative
Thu Dec 17 11:15:07 2015 Info: MID 661 AMP file reputation verdict : UNSCANNABLE
Thu Dec 17 11:15:07 2015 Info: MID 661 using engine: GRAYMAIL negative
Thu Dec 17 11:15:07 2015 Info: MID 661 Outbreak Filters: verdict negative

Regards,

Matthew

Hey Matthew,

How about this:

if (attachment-filename == "image001.jpg") AND (attachment-filename != "image001.jpg") {...

That would identify messages with more than 1 attachments where one attachment is image001.jpg. Assuming that ESA evaluates filters for message as a whole, not once per each attachment. And this way you can also do it in Content Filters. To avoid later filters matching, make this one first, add action to add a header, and make subsequent filters (looking for attachments to quarantine and image001.jpg to skip) look for non-existence of the added header as well.

Hey Harry,

This wouldn't work as well.

If i sent an email with image001.jpg AND virus.zip

image001.jpg -> matches condition (attachment-filename == "image001.jpg") then when checked against (attachment-filename != "image001.jpg"), it matches as per normal.

But virus.zip will get checked, it does NOT match the first condition, but matches second, this means condition is invalid as it is using "AND" rule so it won't work.

Entire filter becomes invalidated if there is more than 1 attachment.

Test filter was-

DropFilter:
if (attachment-filename == "image001.jpg") AND (attachment-filename != "image001.jpg")
{
drop();
}
.

---

co.com>'
Thu Dec 17 14:17:18 2015 Info: MID 676 Subject 'Sig + virus -- should be dropped'
Thu Dec 17 14:17:18 2015 Info: MID 676 ready 577150 bytes from <matt@lee.com>
Thu Dec 17 14:17:18 2015 Info: MID 676 attachment 'virus.zip'
Thu Dec 17 14:17:18 2015 Info: MID 676 attachment 'image001.jpg'
Thu Dec 17 14:17:18 2015 Info: MID 676 matched all recipients for per-recipient policy Matt_test in the inbound table
Thu Dec 17 14:17:18 2015 Info: ICID 3002 close
Thu Dec 17 14:17:19 2015 Info: MID 676 interim verdict using engine: CASE spam negative
Thu Dec 17 14:17:19 2015 Info: MID 676 using engine: CASE spam negative
Thu Dec 17 14:17:19 2015 Info: MID 676 interim AV verdict using Sophos CLEAN
Thu Dec 17 14:17:19 2015 Info: MID 676 antivirus negative
Thu Dec 17 14:17:19 2015 Info: MID 676 AMP file reputation verdict : UNSCANNABLE
Thu Dec 17 14:17:19 2015 Info: MID 676 using engine: GRAYMAIL negative
Thu Dec 17 14:17:19 2015 Info: MID 676 Outbreak Filters: verdict negative

---

It didn't get dropped when there is any other attachment.

Regards,

Matthew

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: