Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6135
Views
0
Helpful
2
Replies

ESA Forward Quarantine

Go to solution
Mehdi_Mahdjoub_Araibi59
Level 1
Level 1

‎02-22-2016 07:47 AM

Hello Cisco Community,

Still on test with the ESA, We will need the possibility to forward blocked mail to the end-user

. The problematic is that the copy send from the quarantine does not provide the original attachment but instead "A MIME attachment of type <application/octet-stream> was removed here by a drop-attachments-by-name filter rule on the host ".

Is there a way to bypass the IronPort analysis in order to forward the original mail with the original attachment ?

Thanks for supporting,

Mehdi

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-24-2016 01:34 PM

Hello Mehdi,

The ESA's workflow when you send an email to quarantine, it will still pass through any remaining services before going into the quarantine.

For example:

Workqueue is.

Message filter -> Antispam, Antivirus, AMP, Graymail , Content Filters, Outbreak filters (Assuming you're on 9.7, you'll see AMP and Graymail).

If your email gets flagged by anti-spam as suspected spam where you set it to quarantine, it will not get quarantined immediately. Instead it will go through anti-virus, where it may or may not get dropped / altered, then AMP, graymail, content filters and outbreak filters.

From what I can tell, your email is flagged for quarantine but there is a content filter which is dropping the attachment as per your configuration.

"A MIME attachment of type <application/octet-stream> was removed here by a drop-attachments-by-name filter rule on the host ". This normally occurs due to a drop attachment content filter rule matching it.

If you want emails destined to the quarantine from Antispam or Antivirus to not get altered by content filters, on your spam and virus setting, when you set to 'quarantine' add a special header in the 'advanced' tab,  then create a new content filter and order it on top.


Look for this special header added, and skip all remaining content filters.

Regards,

Matthew

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-24-2016 01:34 PM

Hello Mehdi,

The ESA's workflow when you send an email to quarantine, it will still pass through any remaining services before going into the quarantine.

For example:

Workqueue is.

Message filter -> Antispam, Antivirus, AMP, Graymail , Content Filters, Outbreak filters (Assuming you're on 9.7, you'll see AMP and Graymail).

If your email gets flagged by anti-spam as suspected spam where you set it to quarantine, it will not get quarantined immediately. Instead it will go through anti-virus, where it may or may not get dropped / altered, then AMP, graymail, content filters and outbreak filters.

From what I can tell, your email is flagged for quarantine but there is a content filter which is dropping the attachment as per your configuration.

"A MIME attachment of type <application/octet-stream> was removed here by a drop-attachments-by-name filter rule on the host ". This normally occurs due to a drop attachment content filter rule matching it.

If you want emails destined to the quarantine from Antispam or Antivirus to not get altered by content filters, on your spam and virus setting, when you set to 'quarantine' add a special header in the 'advanced' tab,  then create a new content filter and order it on top.


Look for this special header added, and skip all remaining content filters.

Regards,

Matthew

0 Helpful

Go to solution
Mehdi_Mahdjoub_Araibi59
Level 1
Level 1
In response to Mathew Huynh

‎02-29-2016 07:11 AM

Thanks for the reply matthew,

the point  is now solved.

regards,

Mehdi

0 Helpful
Customers Also Viewed These Support Documents