Attachment Filtering As most of you are aware, Exchange Server 2003 didn’t include a function that let you fi lter out specifi c attachments.. You now have the possibility of fi ltering
Trang 1Figure 7.46 The Content Filter Confi guration Settings
If the feature is set to False for some reason, you can enable it by typing Set-ContenFilterConfi g –OutlookEmailPostmarkValidationEnabled $True and pressing Enter.
Attachment Filtering
As most of you are aware, Exchange Server 2003 didn’t include a function that let you fi lter out specifi c attachments Instead you had to create your own SMTP OnArrival Event Sink, use
a third-party product, or strictly rely on the OWA 2003 and Outlook 2003 attachment control feature However, since you really should fi lter out unwanted attachment types on an SMTP gateway in your perimeter network (the DMZ or screened subnet) before they arrive at your internal network, the last two options aren’t recommend An attachment fi ltering mechanism
Trang 2SOME INDEPENDENT ADVICE
In recent years more and more focus has been placed on deploying messaging
environments, where each individual e-mail message is ether digitally signed or
encrypted, or even protected using Information Rights Management (IRM) Here in
Denmark where I live, the governmental institutions have an especially strong desire for protecting messages while they’re in transit If you’re doing the same in your
organization or are planning to do so, you should bear in mind that stripping an
attachment from a digitally signed, encrypted, or IRM-protected e-mail message will invalidate the message so that it becomes unreadable One way to solve this problem
in dealing with digitally signed or encrypted messages is to put up some kind
of black box that takes care of signing and encrypting the messages after the
attachment fi lter processes them The company I work for got such a product, which
is becoming more and more popular here in Denmark
The Attachment Filtering agent applies right after the Content Filtering agent
and can be confi gured using the Add-AttachmentFilterEntry CMDlet Unfortunately,
there’s no way to confi gure Attachment Filtering via the EMC GUI; you will have to
do so using the EMS We don’t really know why this feature hasn’t been included in the GUI, but our guess is that the Exchange Product team didn’t have the time to
integrate the feature in the GUI If this is the case, we expect it to be included in
Exchange Server 2007 Service Pack 1, but only time will tell
should have been a native feature in Exchange a long time ago, but fi nally the wait is over with
the Edge Transport server in Exchange Server 2007 Let’s do attachment fi ltering at the server level (hooray!) You now have the possibility of fi ltering out messages based on attachment fi lename,
fi lename extension, or fi le MIME content type You even have the choice of fi ltering out both the message and the attachment or just stripping the attachment You can even choose to delete both the message and the attachment “silently,” meaning that both will be deleted without notifying the sender of the message
Before you start to confi gure the Attachment Filter agent, you fi rst need to make sure that
the agent is enabled To do so, you will need to open the EMS and type Get-TransportAgent
On a default installation of an Edge Transport server, this agent should be enabled by default, but if
it for some reason is disabled, you can enable it by typing Enable-TransportAgent -Identity
“Attachment Filtering Agent” and then pressing Enter.
Now that the agent is enabled, type Get-AttachmentFilterEntry | FL and press Enter
This will give you a list of all fi lename extensions and content types on which the Attachment
Filtering agent can fi lter (see Table 7.3)
Trang 3Table 7.3 Filename Extensions and Content Types
ContentType Application/x-msdownload ContentType:application/x-msdownload ContentType Message/partial ContentType:message/partial
ContentType Text/scriptlet ContentType:text/scriptlet
ContentType Application/prg ContentType:application/prg
ContentType Application/msaccess ContentType:application/msaccess ContentType Text/javascript ContentType:text/javascript
ContentType Application/x-javascript ContentType:application/x-javascript ContentType Application/javascript ContentType:application/javascript ContentType x-internet-signup ContentType:x-internet-signup
ContentType Application/hta ContentType:application/hta
FileName *.wsh FileName:*.wsh
FileName *.wsf FileName:*.wsf
FileName *.wsc FileName:*.wsc
FileName *.vbs FileName:*.vbs
FileName *.vbe FileName:*.vbe
FileName *.vb FileName:*.vb
FileName *.url FileName:*.url
FileName *.shs FileName:*.shs
FileName *.shs FileName:*.shb
FileName *.sct FileName:*.sct
FileName *.scr FileName:*.scr
FileName *.scf FileName:*.scf
FileName *.reg FileName:*.reg
FileName *.prg FileName:*.prg
FileName *.prf FileName:*.prf
FileName *.pcd FileName:*.pcd
FileName *.ops FileName:*.ops
FileName *.mst FileName:*.mst
FileName *.msp FileName:*.msp
FileName *.msi FileName:*.msi
FileName *.ps11xml FileName:*.ps11xml
FileName *.ps11 FileName:*.ps11
Trang 4Table 7.3 Continued
Type Name Identity
FileName *.ps1xml FileName:*.ps1xml
FileName *.ps1 FileName:*.ps1
FileName *.msc FileName:*.msc
FileName *.mdz FileName:*.mdz
FileName *.mdw FileName:*.mdw
FileName *.mdt FileName:*.mdt
FileName *.mde FileName:*.mde
FileName *.mdb FileName:*.mdb
FileName *.mda FileName:*.mda
FileName *.lnk FileName:*.lnk
FileName *.ksh FileName:*.ksh
FileName *.jse FileName:*.jse
FileName *.js FileName:*.js
FileName *.isp FileName:*.isp
FileName *.ins FileName:*.ins
FileName *.inf FileName:*.inf
FileName *.hta FileName:*.hta
FileName *.hlp FileName:*.hlp
FileName *.fxp FileName:*.fxp
FileName *.exe FileName:*.exe
FileName *.csh FileName:*.csh
FileName *crt FileName:*.crt
FileName *.cpl FileName:*.cpl
FileName *.com FileName:*.com
FileName *.cmd FileName:*.cmd
FileName *.chm FileName:*.chm
FileName *.bat FileName:*.bat
FileName *.bas FileName:*.bas
FileName *.asx FileName:*.asx
FileName *.app FileName:*.app
FileName *.adp FileName:*.adp
FileName *.ade FileName:*.ade
Trang 5All attachment fi lter entries on an Edge Transport server use the same attachment
fi ltering behavior—that means the same custom response message as well as action (reject, strip, or silent delete)
If you only want to strip the attachment but allow the message through, you
would need to use the command AttachmentFilterConfi gList –Action Strip If you
want to include a custom admin message in the text fi le that replaces the stripped
attachments, you would need to use the command AttachmentFilterConfi gList
–Action Strip –AdminMessage “The attachment in this message has been fi ltered as it’s not allowed in this organization.” Finally, to silently delete both the message and
the attachment, use the command AttachmentFilterConfi gList –Action SilentDelete.
You can add fi le extensions or fi lenames to this list using the Add-AttachmentFilterEntry CMDlet
For example, if you wanted to fi lter out zip fi les, you would need to run the following command:
Add-AttachmentFilterEntry -Name *.zip -Type FileName If you wanted to fi lter out messages with a
specifi c MIME type, such GIF fi les, you would need to use the command Add-AttachmentFilterEntry
-Name image/gif -Type ContentType If you wanted to fi lter out messages that contain an attachment
with a specifi c fi lename, say one called dangerous_ fi le, you would use the command
Add-AttachmentFilterEntry -Name dangerous_ fi le -Type FileName.
If you want to remove an attachment fi lter entry later, you do so using the
Remove-AttachmentFilterEntry CMDlet For example, if you wanted to remove the ZIP attachment fi lter entry,
you would need to type Remove-AttachmentFilterEntry –Identity fi lename: *.zip.
That’s pretty simple, right?
To be able to use more advanced features such as scanning fi les in a ZIP fi le, you would need to install Forefront Security for Exchange Server (which we will talk a bit about later in this chapter) or
a supported third-party product
As mentioned, you can choose to block a whole message, including the attachment (will return
a delivery status notifi cation to the sender); strip the attachment but allow the message through (will replace the attachment with a text fi le explaining why the attachment was stripped); or silently delete both the message as well as the attachment (will delete both without notifying the sender) You can also confi gure a custom response message that will be included in the delivery status notifi cation, which is returned to the sender when a message and an attached fi le are blocked This is
done using the Set-AttachmentFilterListConfi g CMDlet An example could be Set-AttachmentFilterListCo
nfi g –Action Reject -RejectResponse “This message has been rejected since the attached fi le type isn’t allowed in this organization”.
The last thing we’ll mention regarding the Attachment Filtering agent is that you can exclude
a list of connectors from attachment fi ltering, which means that attachment fi ltering won’t be applied
to messages fl owing through the specifi ed connectors You can exclude one or more connectors using
Set-AttachmentFilterListConfi g –Action Reject –ExceptionConnectors <Connector_GUID> To get the
GUID for a receive connector, type Get-ReceiveConnector | FL.