Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
0
Helpful
6
Replies

white list content filter

bernd.meyer
Level 1
Level 1

‎09-30-2008 10:50 AM

Hello all,

I want to allow email for a special group only, if the mail

- ist smaller than 20 MB
- has no attachements
- has one or more attachements of an allowed type (pdf, doc, xls, ...)

All other attachements should be forwarded to an administration account. The attachement should then be stripped off the mail and the user should get the mail with the information, that he could get the mail, if it is business relevant.

My problem is, that I don't know how to filter emails without an attachement.

Thanks,
Bernd

Labels:
0 Helpful
6 Replies 6

Douglas Hardison
Cisco Employee
Cisco Employee

‎10-02-2008 03:17 PM

At the moment, it is only possible to detect the presence of an attachment using a message filter.
You can use the message filter to insert a header. The header could then be used as a condition in a Content Filter to determine that the message should pass through.

Here is an example of a message filter that checks for attachments.

add_header_if_there_is_an_attachment:
if (attachment-size >= 1k)
{
insert-header('X-Attachment_Exists', 'Yes');
}

0 Helpful

bernd.meyer
Level 1
Level 1

‎10-06-2008 05:09 PM

Thank you very much. It is working as expected.

But now there is another problem: If a mail has more than one attachment and one (may be the first one) has an allowed type (.doc) and a second file ist an executable (.exe), the mail passes the filter.

How can I resolve the problem?

Thanks,
Bernd

0 Helpful

bernd.meyer
Level 1
Level 1

‎10-08-2008 12:03 PM

Hi,

how can I find out, if an attachment is a forwarded email?

Thanks,
Bernd

0 Helpful

Douglas Hardison
Cisco Employee
Cisco Employee

‎10-09-2008 01:23 PM

Hi,

If you feel comfortable providing a copy of the filter, you can paste it into a reply here in the forums, so that we may view it and help determine what changes its needs.

If you would rather not provide a copy of the filter for security reasons,
I would suggest opening a ticket with IronPort Customer Support.

-whardison

0 Helpful

bernd.meyer
Level 1
Level 1

‎10-09-2008 02:26 PM

Thank you very much for you reply,

I've build the content filter with the GUI. I don't know how to export only the filter and not the whole configuration.

I've found a work-a-round, that seems to work:
1. mails without attachment, <20M> deliver
2. mails with filetype executables|media|>20M -> quarantine
3. mails with filetype doc,xls,pdf,ole,..,tiff,jpeg,..,mime-type text/* -deliver
4. mails with mime-type multipart/mixed -> quarantine + deliver (not sure filter)
5. all other in quarantine

I thought it would be easier to build a "whitelist filter"...

Bernd

0 Helpful

david.shoesmith
Level 1
Level 1

‎10-10-2008 06:03 AM

I think it may have to do with the order you put the content filter and the action you take when you get a positive result.
In line 2. if you also put a -deliver action then it would stop processing the message and send it straight to the quarantine.
So if the email contains a .EXE and a .doc, xls etc it would see the .EXE and send it straight to the Quarantine.
It would not be processed by any further Content filters in the down the list.

I had this problem a while ago as well.

I hope this makes sense and what you were trying to achieve.

Bogor

0 Helpful
Customers Also Viewed These Support Documents