6.2 ORF Online Help
Select your ORF version:

Table of Contents

Attachment Filtering

The attachment filtering in ORF allows you to filter specific attachment types. The related configuration options are available under BlacklistsAttachment Filtering in the navigation.

Enabling or Disabling the Attachment Filtering

You can enable or disable the use of the Attachment Filtering on the FilteringTests page in the navigation.

Attachment Filtering Settings

Click the Settings button to configure the Attachment Filtering.


Blacklisted attachments can be replaced by a warning message. Edit the warning message text here. Four custom fields are supported by the editor, select these from right-click menu of the text box. The custom fields are replaced by their actual value when an attachment is replaced by the warning text.


Set the SMTP response sent by ORF when an email is dropped due to an attachment filter hit. Click the SMTP Response button to edit the response. More about the SMTP responses is available in the SMTP Responses section of the help.


Blacklisted attachments can be saved by ORF in an arbitrary folder for later retrieval.

ORF quarantines attachments that are replaced by a replacement notice. ORF also quarantines all attachments when the email is dropped by Attachment Filtering (this includes even those attachments which did not match any filter rules).

Attachments are quarantined under their original file name with .quarantine added to the end in order to prevent the accidental execution of malicious files. When using the original file name is not possible, ORF generates another file name that closely resembles the original file name. Consult the related ORF log message for the original and the generated file name. A few scenarios when a new file name is generated:

  • An attachment with the same file name is already present in the quarantine folder
    The extension of the file is prepended with a whitespace and a number enclosed in parentheses (document.doc is renamed to document (1).doc).
  • The file name is possibly malicious
    Invalid characters, reserved characters, path components (backslash) are replaced with underscore (_) characters (..\..\*something?.dat will be renamed .._..__something_.dat). Reserved system file names are prepended with an underscore character (COM1 will be renamed _COM1).
  • No attachment file name is available
    An attachment file without name will be given the file name Quarantined Attachment.dat.

Folder path

Specify a folder in which quarantined attachments will be stored. The Quarantine Folder path can be localized, see the related help article for more information.

Anti-virus software may prevent ORF from writing a copy of attachment to the Quarantine Folder. In case you want the attachment to be saved even if it possibly contains malicious content, be sure to exclude the Quarantine Folder path from real-time anti-virus checking.

Retention policy

Enable retention to have ORF automatically delete quarantined files older than the configured threshold. Set the threshold using the Automatically delete quarantine contents older than X days option.

Note that retention control is exercised only if the Attachment Quarantine feature is enabled.

Always use a dedicated folder for quarantining purposes. When retention control is enabled, ORF will delete any files in the Quarantine Folder older than the configured threshold, even if they were not placed there by ORF.


View and configure attachment filtering exceptions.

Sender Email Exceptions

Use this list to exclude specific senders from attachment filtering by the sender email address or domain.

Sender IP Exceptions

Use this list to exclude specific senders from the attachment filtering by the sender IP address or network range.


View and configure archive filtering settings.

Remove password protected archives

Set this to block password protected archives whose content cannot be evaluated due to encryption.

Force check attachments

Set this if you want ORF to find and extract archives with renamed file extensions.

Certain file types, such as Open XML formatted Office documents (.docx, .xlsx, etc.), use zip compression technology to reduce the file size and to combine multiple files into one package. When the 'force check' option is enabled, ORF will scan into such archives as well and match the files found inside against the attachment filter expressions, which might cause false positive hits.

Maximum check time

Control how much time ORF may spend with the complete extraction of an archive. As very large or complex (e.g. multi-level) archives may require an excessive amount of time to process, it is recommended to limit the maximum time to avoid email transmission timeouts.

Maximum number of recursions

Archives may contain nested archives (i.e. archives inside an archive), so it is recommended to limit the maximum number of archive files that are extracted within an attached archive.


Specify what ORF should do when the processing of an archive is prematurely terminated.

As of now, ORF can examine files in ZIP archives only. Support for additional archive types will be added in a future release.

Using the Attachment Filtering

Adding, modifying and deleting attachment filters

Click the New button to add a new attachment filter to the list. To modify an existing attachment filter, click Modify or hit Enter. Attachment filters can be deleted using the Delete button or the Delete key.

Sorting the attachment filter list

Click the column header of any column by which you wish to sort the attachment filter list. To reverse sorting, click the column header again.

Exporting and importing the attachment filters

Right-click on the expression list and select "Import List..." or "Export List..." Alternatively, you can do this from the menu, select FileImportAttachment filter list or FileExportAttachment filter list.

Searching expressions in logs

Right-click on the list item or items and select "Search in logs..." to find log records that match the defined expression. Logs need to be loaded in the Log Viewer beforehand.

Using the Attachment Filter Properties Dialog

Attachments can be filtered based on the attachment file name or the attachment MIME type (or both combined) and the attachment size.


ORF can look for files that match the filtering criteria both among the email attachements and inside attached archives as well. Select the appropriate search scope for your filter expression.

Attachment Name

Set the Filter by attachment name checkbox to filter by the attachment name. This can be combined with the content type filter on the MIME Content Type tab.

Select the filter type (can be a simple text file name / wildcard expression or a regular expression) and enter the desired file name or expression to the Attachment Name edit box.

MIME Content Type

Set the Filter by MIME content type checkbox to filter by the attachment's content type. This can be combined with the attachment file name filter on the Attachment Name tab.

Select the filter type (can be a simple text / wildcard expression or a regular expression) and enter the desired MIME type name (e.g., image/jpeg) or expression to the Content type/regular expression edit box.

Attachment Size

Set the Filter by file size checkbox to filter by the attachment's file size. This filter is combined with the attachment file name filter and the MIME content type filter.

Testing the Expressions

Test your expression using the Test attachment name and Test content type edit boxes. If the test box contents match with the mask, a green "Match" label appears on the right side of the test box.


Select the action to be performed when the attachment is blacklisted by the filter. You can choose to replace the attachment with a removal notice or to drop the entire email.


Add an optional comment to the filter expression. This comment is logged when the filter expression catches an attachment. Helpful when you have to know which expression caught the email. The comment also can be used in the warning message text.

Filtering attachments by file name extensions

By using regular expressions, you can easily filter attachments by file name extensions.

Start the ORF Administration Tool, select BlacklistsAttachment filtering in the left navigation pane.
Click New and tick the Filter by attachment name checkbox.
Set the expression type to Regular expression (Perl-compatible) and enter the filtering expression. For example, to block ZIP attachments, simply add
This will block all attached files ending with ".zip". You can also specify more than one extensions by a single expression. If you wish to block ZIP, EXE, COM and VBS attachments, enter the following expression instead:
Finally, configure what should ORF do with the attachment (Filter Properties tab), optionally assign a comment to the filter and click OK.

UUENCODED Attachments

Filtering UUENCODED attachments are not supported. See the Limitations section for more information.

Copyright © Vamsoft Ltd. 2024. All rights reserved. Document ID adm-oa-attachmentfltr, version 3.