The attachment filtering in ORF allows you to filter specific attachment types. The related configuration options are available under in the navigation.
You can enable or disable the use of the Attachment Filtering on the page in the navigation.
Click the Settings button to configure the Attachment Filtering.
Blacklisted attachments can be replaced by a warning message. Edit the warning message text here. Four custom fields are supported by the editor, select these from right-click menu of the text box. The custom fields are replaced by their actual value when an attachment is replaced by the warning text.
Set the SMTP response sent by ORF when an email is dropped due to an attachment filter hit. Click the SMTP Response button to edit the response. More about the SMTP responses is available in the SMTP Responses section of the help.
Blacklisted attachments can be saved by ORF in an arbitrary folder for later retrieval.
ORF quarantines attachments that are replaced by a replacement notice. ORF also quarantines all attachments when the email is dropped by Attachment Filtering (this includes even those attachments which did not match any filter rules).
Attachments are quarantined under their original file name with .quarantine added to the end in order to prevent the accidental execution of malicious files. When using the original file name is not possible, ORF generates another file name that closely resembles the original file name. Consult the related ORF log message for the original and the generated file name. A few scenarios when a new file name is generated:
Specify a folder in which quarantined attachments will be stored. The Quarantine Folder path can be localized, see the related help article for more information.
Anti-virus software may prevent ORF from writing a copy of attachment to the Quarantine Folder. In case you want the attachment to be saved even if it possibly contains malicious content, be sure to exclude the Quarantine Folder path from real-time anti-virus checking.
Enable retention to have ORF automatically delete quarantined files older than the configured threshold. Set the threshold using the Automatically delete quarantine contents older than X days option.
Note that retention control is exercised only if the Attachment Quarantine feature is enabled.
Always use a dedicated folder for quarantining purposes. When retention control is enabled, ORF will delete any files in the Quarantine Folder older than the configured threshold, even if they were not placed there by ORF.
View and configure attachment filtering exceptions.
Use this list to exclude specific senders from attachment filtering by the sender email address or domain.
Use this list to exclude specific senders from the attachment filtering by the sender IP address or network range.
View and configure archive filtering settings.
Set this to block password protected archives whose content cannot be evaluated due to encryption.
Set this if you want ORF to find and extract archives with renamed file extensions.
Certain file types, such as Open XML formatted Office documents (.docx, .xlsx, etc.), use zip compression technology to reduce the file size and to combine multiple files into one package. When the 'force check' option is enabled, ORF will scan into such archives as well and match the files found inside against the attachment filter expressions, which might cause false positive hits.
Control how much time ORF may spend with the complete extraction of an archive. As very large or complex (e.g. multi-level) archives may require an excessive amount of time to process, it is recommended to limit the maximum time to avoid email transmission timeouts.
Archives may contain nested archives (i.e. archives inside an archive), so it is recommended to limit the maximum number of archive files that are extracted within an attached archive.
Specify what ORF should do when the processing of an archive is prematurely terminated.
As of now, ORF can examine files in ZIP archives only. Support for additional archive types will be added in a future release.
Click the New button to add a new attachment filter to the list. To modify an existing attachment filter, click Modify or hit Enter. Attachment filters can be deleted using the Delete button or the Delete key.
Click the column header of any column by which you wish to sort the attachment filter list. To reverse sorting, click the column header again.
Right-click on the expression list and select "Import List..." or "Export List..." Alternatively, you can do this from the menu, select or .
Right-click on the list item or items and select "Search in logs..." to find log records that match the defined expression. Logs need to be loaded in the Log Viewer beforehand.
Attachments can be filtered based on the attachment file name or the attachment MIME type (or both combined) and the attachment size.
ORF can look for files that match the filtering criteria both among the email attachements and inside attached archives as well. Select the appropriate search scope for your filter expression.
Set the Filter by attachment name checkbox to filter by the attachment name. This can be combined with the content type filter on the MIME Content Type tab.
Select the filter type (can be a simple text file name / wildcard expression or a regular expression) and enter the desired file name or expression to the Attachment Name edit box.
Set the Filter by MIME content type checkbox to filter by the attachment's content type. This can be combined with the attachment file name filter on the Attachment Name tab.
Select the filter type (can be a simple text / wildcard expression or a regular expression) and enter the desired MIME type name (e.g., image/jpeg) or expression to the Content type/regular expression edit box.
Set the Filter by file size checkbox to filter by the attachment's file size. This filter is combined with the attachment file name filter and the MIME content type filter.
Test your expression using the Test attachment name and Test content type edit boxes. If the test box contents match with the mask, a green "Match" label appears on the right side of the test box.
Select the action to be performed when the attachment is blacklisted by the filter. You can choose to replace the attachment with a removal notice or to drop the entire email.
Add an optional comment to the filter expression. This comment is logged when the filter expression catches an attachment. Helpful when you have to know which expression caught the email. The comment also can be used in the warning message text.
By using regular expressions, you can easily filter attachments by file name extensions.
Filtering UUENCODED attachments are not supported. See the Limitations section for more information.