Attachment being stripped out, how come?

Unanswered Question
Feb 22nd, 2008

I am new to IronPort administration so forgive me if this is a newbie quesetion.

I have a client who is trying to receive a .docx file but it is being stripped out by our IronPort.

What I have done:
-The size of the message is 473KB, no problem.
-The attachment is of type .docx which I am not blocking, no problem.
-I have a copy of the attachment and can duplicate IronPort removing it. We have an Incoming Content Filter that is setup to remove specific types of attachments and when it does so it replaces the attachment with a .txt file that indicates the attachment was dropped. So I believe I have found the filter that is dropping it but can not determine why.

My theory:
-My first guess is that the .docx has some embedded content which is triggering the filter to drop it. But I can not find anything in the document that would do so, it has e-mail links and http links, some tables, some pictures, headers, footers.

I have found some suggestions that say to add code to skip the scanning of .docx, .xlsx, etc. type files but I don't want to reduce the protection that IronPort is providing.


Any Suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Doc_ironport Fri, 02/22/2008 - 21:24

We have an Incoming Content Filter that is setup to remove specific types of attachments and when it does so it replaces the attachment with a .txt file that indicates the attachment was dropped.  So I believe I have found the filter that is dropping it but can not determine why.  


What is the filter you believe is causing it to be dropped configured to do? ie, what's the conditions you've got it triggering on?
Jason Meyer Fri, 02/22/2008 - 22:43

The filter has the following Action:

drop-attachments-by-name("(?i)\\.(bas|bat|cmd|com|cpl|exe|hta|inf|ins|isp|js|jse|lnk|msc|msi|msp|mst|pif|reg|scr|sct|shb|shs|url|vb|vbe|vbs|wsc|wsh|wma|wmf|test)$", "The attachment $dropped_filenames was removed because it violates the acceptable attachment policy.)

I believe it is this filter that is dropping the attachment because of the .txt attachment that is being put in the attachments place. It matches the last sentance of the code. ?

steven_geerts Sat, 02/23/2008 - 13:50

Hello,

I had a similar problem when I activated a filter that removed files of the type WMF (Windows Meta File and Enhanced Meta File). All ClipArt’s that are used within office docs are normally WMF file types.
Since you use a filter that is filtering by name this might not be the problem. However, it can be that the .docx format includes the original filename of the clipart. Since Ironport content filtering also scans the content of files (normally you want this for ZIP files etc) it can be that the filter is triggered by that.

It's pure speculation but maybe it worth the try.... :wink:

Steven

ironport99 Tue, 02/26/2008 - 11:46

Office 2007 files are XML contained within a zip file. You can open the .docx file with something like winzip to see the files that are contained within. One of them match your filter which is why the attachment is being dropped.

1) The only way round it would be to remove the filetypes that are triggering the filter from the list of what you filtering - probably not what you want to do.

2) Exclude the Office 2007 docs from scanning for attachments. Microsoft state that the new filetypes cannot contain executable macro code and if a macro is added then Microsoft Office application will not allow the attachment to be opened - so they can be considered "safe".

Jason Meyer Tue, 02/26/2008 - 19:15

Thanks for the information all. Looks like I have some investigation to do. Will keep the thread updated with what I find. Thanks again.

Jason Meyer Tue, 02/26/2008 - 21:00

Using WinZip I found an embedded .wmf in the attachment. This explains why the attachment was being stripped out.

I changed the .wmf embedded object to a .bmp type and the attachment went through IronPort just fine.

Many thanks to all who pointed me in the right direction.

Stallman_ironport Wed, 08/13/2008 - 19:07

I've had some problems with this also. Specifically Microsoft Office 2007 attachments being blocked.

Lately, I have a lot of emails with the .txt extension (which I do not have set up to block) going to Spam Quarantine. Not sure why, but I have found that if the encoding is Unicode or endian then it goes through. If it is cut/pasted into a word document it goes through. I'm new to the whole administration and this is really confusing me. Any help would be appreciated.

vkoutsou_ironport Fri, 08/15/2008 - 14:05

Do you have any filters configured that search in the message body? Text files would match these whereas Word documents and UTF encoded messages and attachments would not.


I've had some problems with this also. Specifically Microsoft Office 2007 attachments being blocked. 

Lately, I have a lot of emails with the .txt extension (which I do not have set up to block) going to Spam Quarantine. Not sure why, but I have found that if the encoding is Unicode or endian then it goes through. If it is cut/pasted into a word document it goes through. I'm new to the whole administration and this is really confusing me. Any help would be appreciated.

Actions

This Discussion