Restrict Numbr of attachments

Unanswered Question
Nov 13th, 2007

Hi there,
I have had a search through the forum, however could not find an answer.

We have a series of C300 Appliances and as part of our Mail Policy we would like to detect and restrict the number of attachments sent on an email. For example if someone sends an email and it has 4 attachments (of any type or size, we have another policy for restricting file size) attached we will let it through, however if they attach 5 or more attachments we would like to either quarantine it or send it though with a warning message.
Is this currently possible? If not, how can we request this to be added?

Thanks,

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
verylongbloke_i... Tue, 11/13/2007 - 13:12

I dug this out of an internal thread on this:

You can use the $filesizes variable to do a regex against if you only need to enforce a maximum number of attachments. I use $filesizes instead of $filenames so you cant have a false positive on ", " in the filename.

Note: You need to use the insert-header command since we cant match directly against variables.

RestrictOneAttachment:
if (true) {
insert-header("X-Filesizes", "$filesizes");
if (header("X-Filesizes") == ", ") {
drop();
}
strip-header("X-Filesizes");
}

This will drop a message with more than one attachment. For a specific number, Ex. if there is more than 2 attachments.

if (header("X-Filesizes") == "(, \\d+){2,}") ^^ this will match against an email with 3 or more attachments.

Good luck.....sounds like a feature request to have this as a filter rule for the future :wink:

Pat_ironport Tue, 11/13/2007 - 20:30

Thank you, verylongbloke!
I'm very interested in such a solution too. Could you please give me some more informations where exactly I have to fill in your code and where I can change the message back to the sender with a text like "...please create one ZIP-Archive with your multiple attachments..."

David.shoesmith73 Tue, 11/13/2007 - 22:36

Thanks for the info.
Is there a way to have it quarantine or forward with a Notification rather than dropping it?

How do we put this request on the future features list?

Edit: I just spoke to my local Ironport Support person and they said it is already on the Feature Request list. I guess we just need to wait for it to happen :)

Regards,

David

sspeerin Wed, 11/14/2007 - 22:08

Thanks for the info.
Is there a way to have it quarantine or forward with a Notification rather than dropping it?


Hi David, yes you can quarantine and send a notification from within a Message Filter.

I suggest opening the Advanced User Guide (5.5) and look at Chapter 4 Policy Enforcement, Message Filters. You will find a notification command and a quarantine command. The guide will explain what the parameters for the commands are.
David.shoesmith73 Wed, 11/14/2007 - 23:00

Hi Shane,
Yep, I have seen and done that with other filters. I was hoping to be able to do it with the code that verylongbloke posted up. He said that it would only drop the message.
I am happy to wait for the new filter to be added. Hope it is not too long away ;)

Regards,

David

sspeerin Wed, 11/14/2007 - 23:51

Hi Shane,
Yep, I have seen and done that with other filters. I was hoping to be able to do it with the code that verylongbloke posted up. He said that it would only drop the message.
I am happy to wait for the new filter to be added. Hope it is not too long away ;)

Regards,

David


David, you can do this now, heres an example filter:

if (true)
{
insert-header("X-Filesizes", "$filesizes");
if (header("X-Filesizes") == "(, \\d+){2,}")
{
notify("[email protected]","To many attachments");
quarantine("Policy");
}
strip-header("X-Filesizes");
}

In the quarantine command you can change the Policy quarantine to one you have created if you wish. Also the notify command you could use a template if you want for the message as the above example will send a message with just the subject of To many attachments. The user guide explains how to use a template and what variables you can use to send notifications.

The above is a message filter and has to be added to the appliance via the command line. Message filters happen after the message has been accepted on the box and before they enter the email pipline. They can effect messages globally and therefore if you need to apply this to only emails leaving the organisation then you need to apply the message filter to a listener.

So to apply the above message filter to the out bound listener it would look like this:

###########Copy below this line###############
AttachmentCountingFilter:
if(recv-listener=="Outboundlistener")
{
if (true)
{
insert-header("X-Filesizes", "$filesizes");
if (header("X-Filesizes") == "(, \\d+){2,}")
{
notify("[email protected]","To many attachments");
quarantine("Policy");
}
strip-header("X-Filesizes");
}
}
#########Copy only above this line#############

Change the Outboundlistener to the name of the outbound listener on your appliance.

If you copy the above filter into a text file and then from the command line on your appliance import this as a filter it should work.

Disclaimer is that you test it before applying it in a production environment.
David.shoesmith73 Thu, 11/15/2007 - 01:33

Thanks for the extra info.

I have modified the code as below

Restrict10Attachment:
if (true)
{
insert-header("X-Filesizes", "$filesizes");
if (header("X-Filesizes") == "(, \\d+){10,}")
{
notify("$Envelopesender","legal.restricted.out");
quarantine("Prohibited");
}
strip-header("X-Filesizes");
}



If I read it right, it should check for 10 or more attachments, notify the sender, and use the Notify Template I have called "legal.restricted.out"

I am going use this filter for all mail entering and leaving the company, so have not included the "if(recv-listener=="Outboundlistener")" line.

Regards,
David

David.shoesmith73 Thu, 11/15/2007 - 04:32

OK I have been testing this for most of the day and have the following script



Restrict10Attachment:
if (true)
{
insert-header("X-Filesizes", "$filesizes");
if (header("X-Filesizes") == "(, \\d+){10,}")
{
notify("$Envelopefrom", "[$FilterName] Too many Attachments", "$Envelopesender",

"legal.numberofattachments");
quarantine("Prohibited");
}
strip-header("X-Filesizes");
}


It detects the email has more than 10 attachments and places it into the Prohibited quarantine area, and then notifies the sender, the only problem is when the email is sent to the sender it apears to have come from themselves. What have I done wrong? and how can I make it apear to come from an email address I specify, eg: [email protected]

Thanks,
David

verylongbloke_i... Thu, 11/15/2007 - 09:37

Sorry - forgot to look at this thread this sooner..

notify("$Envelopefrom", "[$FilterName] Too many Attachments", "$Envelopesender", "legal.numberofattachments");

The manual for v5.5 adv user guide states:

The notify action also supports up to three additional, optional arguments that allow you to specify after the email address; the subject header, the Envelope Sender, and a pre-defined text resource to use for the notification message. These parameters must appear in order, so a subject must be provided if the Envelope Sender is to be set or a notification template specified.

Your action should change to (i think):


notify("$Envelopefrom", "[$FilterName] Too many Attachments", [email protected]", "legal.numberofattachments");

That should do the trick i think....

Actions

This Discussion