Attachment filtering not working - ORF Forums

Attachment filtering not working RSS Back to forum

1

I'm using http://www.emailsecuritycheck.net/index.html to perform a check of attachment filtering.
This sends several attachments, but even though I have the attachment filtering configured correctly, ORF still lets them through.

eg, *.dll should block all attachments ending in .dll but orf allows it through.

What is going on?

by gavpop 6 years ago
2

Hello gavpop,

Start the ORF Administration Tool and:
1. Make sure that the Attachment Blacklist test in marked enabled on the 'Filtering > Tests' page
2. Navigate to the 'Blacklists > Attachment Filtering' page, and make sure that, your *.dll entry's expression type is set to 'Simple text'.
3. In case you are using a regex pattern to match certain file types, make sure that the expression type is set to 'Regular expression'

Please note that if you create and entry that filters 'by attachment name' AND 'by MIME content type', both patterns must match at the same time, otherwise the attachment will be allowed to pass. For additional details, please consult our related help page: https://vamsoft.com/support/docs/orf-help/5.4.1/adm-oa-attachmentfltr

Please, let me know if this has helped.

by Daniel Novak (Vamsoft) 6 years ago
3

@Daniel Novak (Vamsoft): All this is correct.
I have an additional filter for *.bat which works perfectly.
The * .bat and *.dll rules are identical, apart from the search string.

by gavpop 6 years ago
(in reply to this post)

4

[AttachmentFiltering]
StrictAttachmentDefinition=No
ResponseCode=550
ResponseText=5.7.1 Message rejected due to the attachment filtering policy.
RemovalText=QXR0YWNobWVudCBoYXMgYmVlbiByZW1vdmVkIGR1ZSB0byBzZWN1cml0eSBwb2xpY3kgcmVzdHJpY3Rpb25zLg0KDQpBdHRhY2htZW50IG5hbWU6IHtBVFRBQ0hNRU5UX05BTUV9DQpNSU1FIHR5cGU6IHtBVFRBQ0hNRU5UX0NPTlRFTlRUWVBFfQ0KUXVhcmFudGluZSBzdGF0dXM6IHtRVUFSQU5USU5FX1NUQVRVU30NCkFkZGl0aW9uYWwgY29tbWVudHM6IHtDT01NRU5UfQ==
QuarantineEnabled=No
QuarantineFolderPath=
QuarantineEnableRetentionControl=Yes
QuarantineRetainForDays=30
0="Name","DropMail","","SimpleText","*.r00*","SimpleText","*.r00"
1="Name","DropMail","","SimpleText","*.bat*","SimpleText","*.bat"
2="Name","DropMail","","SimpleText","*.","SimpleText","block empty attachments"
3="Name","DropMail","","SimpleText","*.dll*","SimpleText","*.dll"
4="Name","DropMail","","SimpleText","^[^.]+$","RegularExpression","drop attachments without a ""."""

by gavpop 6 years ago
5

Your settings appear to be correct, so I can only think of one or two explanations: The email was malformed or the attachment was broken - perhaps intentionally, for testing purposes. Your mail server might have fixed the message and delivered a working email to the recipient address. Have you tested the *.dll rule with an email that does not come from emailsecuritychek.net? If not, I would suggest you send one to your mail server from an external address.

Furthermore, it is important to note that the Attachment Blacklist test simply examines the filename itself. It does not scan the attachments and, as of today, it does not look into archives either. If you wish to extend ORF’s spam filtering repertoire with antivirus capabilities, you should connect a command line scanner, such as ClamAV (http://vamsoft.com/support/docs/articles/using-clamav-with-ORF-part-1), to it as an External Agent (http://vamsoft.com/support/docs/orf-help/5.4.1/adm-agents-agentprops), or better yet, use an email-enabled anti-virus that integrates with Exchange specifically.

I hope this helps.

by Daniel Novak (Vamsoft) 6 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2