The attachment filtering in ORF allows you to filter specific attachment types. The related configuration options are available under in the navigation.
You can enable or disable the use of the Attachment Filtering on the page in the navigation.
Click the Settings button to configure the Attachment Filtering.
Blacklisted attachments can be replaced by a warning message. Edit the warning message text here. Six custom fields are supported by the editor, select these from right-click menu of the text box. The custom fields are replaced by their actual value when an attachment is replaced by the warning text.
Quarantined attachments can be resent to the original recipients. You can edit the subject, the text and the sender address of the accompanying email on this page. Seven custom fields are supported by the editor, select these from right-click menu of the text box. The custom fields are replaced by their actual value when the email is sent to the recipient.
We recommend that you provide custom sender address with your own domain, so that the email does not get inadvertently blacklisted by other email security software further down the delivery chain.
Set the SMTP response sent by ORF when an email is dropped due to an attachment filter hit. Click the SMTP Response button to edit the response. More about the SMTP responses is available in the SMTP Responses section of the help.
Blacklisted attachments can be saved by ORF in an arbitrary folder for later retrieval.
ORF quarantines attachments that are replaced by a replacement notice. ORF also quarantines all attachments when the email is dropped by Attachment Filtering (this includes even those attachments which did not match any filter rules).
Attachments are quarantined in an archive with unique identifier and a .quarantine extension to to prevent the accidental execution of malicious files. The archive (which is just a renamed .ZIP file), contains two files named attachment and info. The former is the renamed attachment file, the latter contains information about the attachment itself and the email from which it was removed.
Specify a folder in which quarantined attachments will be stored. The Quarantine Folder path can be localized, see the related help article for more information.
Anti-virus software may prevent ORF from writing a copy of attachment to the Quarantine Folder. In case you want the attachment to be saved even if it possibly contains malicious content, be sure to exclude the Quarantine Folder path from real-time anti-virus checking.
Enable retention to have ORF automatically delete quarantined files older than the configured threshold. Set the threshold using the Automatically delete quarantine contents older than X days option.
Note that retention control is exercised only if the Attachment Quarantine feature is enabled.
Always use a dedicated folder for quarantining purposes. When retention control is enabled, ORF will delete any files in the Quarantine Folder older than the configured threshold, even if they were not placed there by ORF.
View and configure attachment filtering exceptions.
Use this list to exclude specific senders from attachment filtering by the sender email address or domain.
Use this to verify whether the sender is actually authorized to send emails on behalf of the domain it claims to represent and not just spoofing it to bypass filtering: If the sending domain has a published SPF policy, the email must "pass" the SPF evaluation to be excluded from filtering.
Use this list to exclude specific senders from the attachment filtering by the sender IP address or network range.
View and configure archive filtering settings.
The following is a non-exhaustive list of supported archive formats: 7z, AR, ARJ, BZIP2, CAB, CHM, CPIO, CramFS, DMG, EXT, FAT, GPT, GZIP, HFS, IHEX, ISO, LZH, LZMA, MBR, MSI, NSIS, NTFS, QCOW2, RAR, RPM, SquashFS, TAR, UDF, UEFI, VDI, VHD, VMDK, WIM, WIM, XAR, XZ, Z, ZIP
If you enable the setting, any password-protected archives that cannot be decompressed and examined will be replaced with the removal notice notifying the user that the archive has been removed. It is important to keep in mind that the list of files present in a password-protected archive can be accessed without decompression, so the archive will not be replaced unless it contains another archive or the 'force check attachments' option is turned on (see below).
Normally, some file extensions (such as .zip or .rar) are known to be archives that can be decompressed, while others (such as .pdf or .jpg) are not. However, by enabling this setting, ORF will check all attachments for decompression regardless of their file extension.
Certain file types, such as Open XML formatted Office documents (.docx, .xlsx, etc.), use zip compression technology to reduce the file size and to combine multiple files into one package. When the 'force check attachments' option is enabled, ORF will scan into such archives as well and match the files found inside against the attachment filter expressions, which might cause false positive hits.
Control how much time ORF may spend with the complete extraction of an archive. As very large or complex (e.g. multi-level) archives may require an excessive amount of time to process, it is recommended to limit the maximum time to avoid email transmission timeouts.
Archives may contain nested archives (i.e. archives inside an archive), so it is recommended to limit the maximum number of archive files that are extracted within an attached archive.
Specify what ORF should do when the processing of an archive is prematurely terminated.
Click the New button to add a new attachment filter to the list. To modify an existing attachment filter, click Modify or hit Enter. Attachment filters can be deleted using the Delete button or the Delete key.
Click the column header of any column by which you wish to sort the attachment filter list. To reverse sorting, click the column header again.
Right-click on the expression list and select "Import List..." or "Export List..." Alternatively, you can do this from the menu, select or .
Right-click on the list item or items and select "Search in logs..." to find log records that match the defined expression. Logs need to be loaded in the Log Viewer beforehand.
Attachments can be filtered based on the attachment file name or the attachment MIME type (or both combined) and the attachment size.
ORF can look for files that match the filtering criteria both among the email attachements and inside attached archives as well. Select the appropriate search scope for your filter expression.
Set the Filter by attachment name checkbox to filter by the attachment name. This can be combined with the content type filter on the MIME Content Type tab.
Select the filter type (can be a simple text file name / wildcard expression or a regular expression) and enter the desired file name or expression to the Attachment Name edit box.
Set the Filter by MIME content type checkbox to filter by the attachment's content type. This can be combined with the attachment file name filter on the Attachment Name tab.
Select the filter type (can be a simple text / wildcard expression or a regular expression) and enter the desired MIME type name (e.g., image/jpeg) or expression to the Content type/regular expression edit box.
Set the Filter by file size checkbox to filter by the attachment's file size. This filter is combined with the attachment file name filter and the MIME content type filter.
Test your expression using the Test attachment name and Test content type edit boxes. If the test box contents match with the mask, a green "Match" label appears on the right side of the test box.
Select the action to be performed when the attachment is blacklisted by the filter. You can choose to replace the attachment with a removal notice or to drop the entire email.
Add an optional comment to the filter expression. This comment is logged when the filter expression catches an attachment. Helpful when you have to know which expression caught the email. The comment also can be used in the warning message text.
By using regular expressions, you can easily filter attachments by file name extensions.
Filtering UUENCODED attachments are not supported. See the Limitations section for more information.
Click the Quarantine button to open the Attachment Quarantine manager. To release and resend a quarantined attachment, mark the corresponding checkbox and click the Resend button. In a similar fashion, quarantined attachments can be exported or deleted using the Export and Delete buttons.
Click the column header of any column by which you wish to sort the quarantine list. To reverse sorting, click the column header again.
Click the search button (magnifying glass) and enter an expression with or without a wildcard (*) in any of the textboxes under the column headers. You can enter an expression in each textbox to narrow your search results.
Right-click on the list item or items and select "Search in logs..." to find log records that match the selected filename(s). Logs need to be loaded in the Log Viewer beforehand.