white list content filter

Unanswered Question

Hello all,

I want to allow email for a special group only, if the mail

- ist smaller than 20 MB
- has no attachements
- has one or more attachements of an allowed type (pdf, doc, xls, ...)

All other attachements should be forwarded to an administration account. The attachement should then be stripped off the mail and the user should get the mail with the information, that he could get the mail, if it is business relevant.

My problem is, that I don't know how to filter emails without an attachement.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Douglas Hardison Thu, 10/02/2008 - 15:17
User Badges:
  • Cisco Employee,

At the moment, it is only possible to detect the presence of an attachment using a message filter.
You can use the message filter to insert a header. The header could then be used as a condition in a Content Filter to determine that the message should pass through.

Here is an example of a message filter that checks for attachments.

if (attachment-size >= 1k)
insert-header('X-Attachment_Exists', 'Yes');

Douglas Hardison Thu, 10/09/2008 - 13:23
User Badges:
  • Cisco Employee,


If you feel comfortable providing a copy of the filter, you can paste it into a reply here in the forums, so that we may view it and help determine what changes its needs.

If you would rather not provide a copy of the filter for security reasons,
I would suggest opening a ticket with IronPort Customer Support.


Thank you very much for you reply,

I've build the content filter with the GUI. I don't know how to export only the filter and not the whole configuration.

I've found a work-a-round, that seems to work:
1. mails without attachment, <20M> deliver
2. mails with filetype executables|media|>20M -> quarantine
3. mails with filetype doc,xls,pdf,ole,..,tiff,jpeg,..,mime-type text/* -deliver
4. mails with mime-type multipart/mixed -> quarantine + deliver (not sure filter)
5. all other in quarantine

I thought it would be easier to build a "whitelist filter"...


David.shoesmith73 Fri, 10/10/2008 - 06:03
User Badges:

I think it may have to do with the order you put the content filter and the action you take when you get a positive result.
In line 2. if you also put a -deliver action then it would stop processing the message and send it straight to the quarantine.
So if the email contains a .EXE and a .doc, xls etc it would see the .EXE and send it straight to the Quarantine.
It would not be processed by any further Content filters in the down the list.

I had this problem a while ago as well.

I hope this makes sense and what you were trying to achieve.



This Discussion