Re: Large emails bypass access policies

john-copeland · ‎06-18-2009

I am setting up an Ironport C360.

I have configured content filters and mail policies to block certain file types.

When a small file of 2mb is sent in, the email and attachment are quarantined as expected.
When a larger attachment of 4mb is sent in, it is delivered though the file type should be quarantined.

Within the message tracking, I can see the following error:
Message 226 encountered message scanning error: maximum work per expression/data limit exceeded

Does this mean that there is a size limit to which content filers and policies can be applied?

If there is, can this be adjusted?

kluu_ironport · ‎06-19-2009

The policies won't have a size parameter/restriction, but the content filter scanning may. It would be set in your "scanconfig" command that is only configured from the command line. "scanconfig" has a size parameter option where if the entire message exceeds that size, then the content filters will not act upon that message.

How do I control body and attachment scanning in filters?

http://tinyurl.com/rexms

For more information about filters and the scanconfig command, see the AsyncOS Advanced User Guide on the IronPort Support Portal [http://www.ironport.com/support/login.html]

I am setting up an Ironport C360.

I have configured content filters and mail policies to block certain file types.

When a small file of 2mb is sent in, the email and attachment are quarantined as expected.
When a larger attachment of 4mb is sent in, it is delivered though the file type should be quarantined.

Within the message tracking, I can see the following error:
Message 226 encountered message scanning error: maximum work per expression/data limit exceeded 

Does this mean that there is a size limit to which content filers and policies can be applied?

If there is, can this be adjusted?

john-copeland · ‎06-19-2009

Thanks for that.

My problem now is that I am trying to block YouTube videos in .flv format coming in.

We have a filter which quarantines attachments which are matched under the attachment-filetype == "Media" but the .flv extension is not included in this.

I can find no way to add any filetypes so I have added a content filter to quarantine any attachments where the filename ends in .flv using regexp:

attachment-filename == "(?i)\\.(flv|3gp|wmv)$"

The filter works when I set the scanconfig to option
1. Scan only attachments with MIME types or fingerprints in the list

but this means that any other file types are not scanned.

If I select option
2. Skip attachments with MIME types or fingerprints in the list

the filter does NOT work (but other media types which are listed under attachment-filetype == "Media" such as .avi are quarantined) .

Any Ideas?

Wargot_ironport · ‎06-19-2009

We had a real headache with this when setting up our rule set. OUr rulse are set as follws:

Attachment File Info:
Filename = Contains = (?I)\.wmv

We then have a separate condition for each filetype we want to block, as I had difficultly getting my head round the format using the OR command.

We haven't done anything with the Scanconfig settings.

john-copeland · ‎08-18-2009

After testing the use of dictionaries, it appears that there is a limit on the number of entries within a dictionary.

I have deleted our 'AdultContent' dictionary (which combined both the sexual_content_txt and profanity_txt dictionaries from Ironport) and tested the sexual_content_txt and profanity_txt dictionaries.

When only using the profanity_txt dictionary (134 entries), the .flv file is blocked correctly.
When only using the default sexual_content_txt dictionary (235 entries), the .flv file is wrongly allowed through.

I have amended the sexual_content_txt dictionary and reduced the number of entries from 235 to 197. Now when the amended sexual_content_txt dictionary is used the .flv file is blocked correctly.

If I add an arbitrary entry to the sexual_content_txt dictionary to increase the number of entries to 198, the .flv file is wrongly allowed through.

I have set the (QuarantineAdult) content filter to use both the profanity_txt (134 entries) and sexual_content_txt (197 entries) dictionaries in two separate conditions within same content filter and the .flv file is blocked correctly.

The NotifyChangeControl dictionary doesn't have any effect upon the .flv file (probably as it only has 19 entries in it).

So it looks as if the fix to the problem is to reduce the entries within any one single dictionary until the rules work as required.