05-21-2025 10:38 PM
Hey all,
I'm encountering an issue with the content filter I configured in ESA. I've set it to only allow specific file types, but sometimes plain text emails without attachments are being incorrectly identified as "unidentified files" and sent to quarantine.
I've attached an example of the rule I configured and mails that I download from the quarantine 1 HTML format and Plain text format for your reference.
Thanks,
05-22-2025 07:05 AM
05-24-2025 10:02 PM
Thank you for your response.
What I'm trying to achieve is to create a whitelist for allowed file types. Any files not on this list should be sent to quarantine.
The image I uploaded was from a lab environment. My question aims to understand what syntax to use to prevent emails generated in plain text format, which the system identifies as an attachment "without a type," from being blocked.
05-27-2025 07:27 AM - edited 05-27-2025 07:30 AM
you'll need to make it a match all rule then, but then would say like attachment is not (allowed types), Attachment does not contain \.
it does regex and the \ is an escape character so if the attahcment doesn't contain a period it's let through. I would also from experience allow message.htm and message.html through as some email systems send HTML messages as attachments.
Keep in mind if you quarantine if the email has 1 of the not allowed types it'll quarantine it all. So you could look at sending a copy to a quarantine and stripping the unwanted attachments instead.
05-22-2025 12:25 PM
As Ken stated, you have it set to any match, and a basic condition of the attachment not being MP4, so everything else will match and quarantine. Best it to set to match on what you don't want for less false positives. Below is an example of what we had.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide