how_to:filtering_attachments

How to filter attachments

VPOP3 can filter attachments in several ways.

The most general is to use the Settings → Attachment Processing → Filtering tab as described below.

VPOP3 can also filter attachments using the content/spam filter, or by using an integrated virus scanner.

You can specify attachment filenames to filter using DOS style wildcards * and ?. VPOP3 initially starts with a default set of filter rules (see below), but you can change this as you wish. Each filter rule must be on a line of its own

You can also tell VPOP3 to look inside ZIP files and to block password protected ZIP files. Note that enabling both these options can make it hard for legitimate senders to bypass your attachment filters. For instance, if you tell VPOP3 to block .EXE files inside ZIP files and to block password protected ZIP files, if someone has to send you a .EXE file for some legitimate reason, it can be hard to get it through the filter. You can use Filtering Conditions to allow certain attachments through even though they would usually be filtered, for instance by specifying a certain subject line.

Filter Actions

If VPOP3 detects an attachment which is to be filtered, there are several actions it can take.

Incoming Messages

On incoming messages, VPOP3 will let the message through, but it can either remove or rename the attachment, so that it cannot be run easily. For instance if you have told VPOP3 to rename filtered attachments, a filename of document.txt.exe will be renamed to document.txt.ex_, this can still be run, by saving to disk, and renaming, but it makes it much harder, and is unlikely to be done by accident. Alternatively, you can tell VPOP3 to redirect filtered attachments, and the accompanying messages, to a certain user, for instance, an administrator, for them to check.

You can also tell VPOP3 to send a message to the message sender to tell them that the attachment was filtered. Note that this message does not say which action was taken by VPOP3, but just says that the message was filtered.

See also: Attachments have been removed or renamed

Outgoing Messages

On outgoing messages, VPOP3 will optionally block messages with filtered attachments. (It would not normally be desirable to allow a sent message through without the attachment).

VPOP3 will block the outgoing message with an error like:

554 5.7.1 Message prohibited (PROHIBITED FILENAME - <filename>)

Default Filter Rules

The default filter rules are:

  • *.vbs
  • *.{????????-????-????-????-????????????}
  • *.hta
  • *.???.???
  • * *.*
  • *.
  • *.pif

The reasons for some of these may not be obvious:

*.{????????-????-????-????-????????????} filters filenames ending with a GUID extension. Windows will hide the GUID extension but make opening the attachment do the appropriate action, which may be to run an executable file

*.???.??? filters filenames which have two extensions, eg document.txt.exe. Windows will often hide the second extension, but still use it when determining what action to take when opening the attachment. Sometimes this can be triggered by filenames like invoice.342.pdf

* *.* filters filenames containing lots of spaces. These are often used to make the file extension 'disappear' off the right hand side of the email client's attachment display, so it is not apparent what the real extension is. For instance document.txt .exe

*. filters filenames ending in a dot. Under Windows, the trailing . will be removed, meaning that document.exe. will become document.exe

how_to/filtering_attachments.txt · Last modified: 2018/11/14 10:45 by 127.0.0.1