reference:attachment_processing

Settings -> Attachment Processing

The Attachment Processing page allows you to configure VPOP3 to perform two distinct functions on messages that contain attachments:

Filtering

The Filtering tab is divided into four main sections:

Attachment Filtering

Attachment filtering is applied when a new message is received by VPOP3. The Attachment filenames to filter box allows you to use basic pattern matching, so that VPOP3 will only filter certain attachments; for instance, if there is a particular filename extension, which would enable a malicious file to accidentally be run by the recipient.

The syntax for pattern matching is to type specific characters, where they will appear, and substitute a single, but unknown character with ?, and substitute an unknown number of characters with *.
e.g. ?x*.txt will match filenames such as example.txt and Oxford.txt, but because the ? character will only represent a substitution of one character, it will not match Texas.txt

Default filtered filenames

Pattern Explanation
*.vbs
Files with a .vbs extension will typically run as Visual Basic Scripts.
*.{????????-????-????-????-????????????}
Filenames ending in a GUID (Globally Unique Identifier) - These files could instruct Windows to open the file in a particular program, or as an executable, irrespective of the actual filename extension. Note: GUIDs only contain hexadecimal characters (numbers 0-9 and letters A-F), but this pattern would also match for non-hexadecimal characters.
*.hta
Files with a .hta extension will typically run as HTML applications; potentially allowing the use of JScript and VBScript.
*.???.???
Files with a 'double' filename extension are commonly used to distract the recipient. For example, by naming a file photo.jpg.exe, the sender could exploit users who do not have the technical knowledge to realise that the file is an application and not a picture.
*          *.*
Files with at least 10 consecutive spaces in the filename. There are few legitimate reasons for using 10 consecutive spaces, so it is likely to be an exploit attempt. Using a lot of spaces may obscure the filename extension in some mail clients, or may make the attachment look like two distinct files.
*.
Windows will disregard the dot at the end of a filename, so there is very little reason for a filename legitimately ending with a dot. An attacker may try using a dot at the end of the filename, in order to circumvent other filtering rules.
*.pif
Files with a .pif extension will typically be Program Information Files for DOS. They can be used to transmit viruses.

There are two checkboxes in this section:

  • Filter attachments in ZIP files - If the incoming attachment is a Zip file, checking this box will instruct VPOP3 to filter the contents of the Zip file. Note: VPOP3 would not look for files contained within Zip files that are themselves contained within another Zip file.
  • Block password protected ZIP files - VPOP3 is unable to inspect the contents of a password protected zip file, so checking this box will instruct VPOP3 to automatically filter all password protected Zip files, as a precaution.

Incoming Messages

There are various attachment processing options for incoming messages:

  • Check incoming attachments - Whether filtering is enabled for incoming messages
  • Remove filtered attachments from message
  • Change filtered attachment extension to make it unrunnable - This is achieved by replacing the final character of the filename extension with an underscore (_). Users should be able to open the file by renaming the extension, but this extra step will normally deter users from opening the file, unless they know what they are doing.
  • Redirect messages with filtered attachment to: [-] - A specific user may be given the responsibility of reviewing messages with filtered attachments.
  • Inform sender that attachments were filtered

Outgoing Messages

If you check Reject outgoing messages with filtered attachments, VPOP3 will not send any messages with attachments that meet the filtering criteria.
This is particularly useful as a second line of defence, in case something gets onto the network and tries to send messages with certain types of file attachment.

Email notifications

Notification emails will be sent out to the sender when their message contains filtered attachments.

You can specify Sender and Reply-To addresses for the notification message.

Filtering Conditions

The Filtering Conditions tab allows you to optionally exclude or include messages in the attachment filtering, based on the message headers.

There are two boxes for entering conditions:

  • Skip filtering for
  • Do filtering for

Rules in Skip filtering for will be applied first. If there is a successful match, no filtering will take place on the message. If there is no match, VPOP3 will apply the Do filtering for rules. If there is a successful match, or if Do filtering for is blank, VPOP3 will then filter the message for blocked attachments.

Each rule needs to be entered as a separate line, in the format <Header field>: <Data to match>. e.g. Subject: Annual accounts.
You may either use wildcards (? and *) or regular expressions for the Data to match part of the rule. e.g. Subject: Annual accounts for*, or Subject: /Annual accounts for (Your main business|Your other business)/i

Extraction

The Extraction tab allows you to enable and configure the Attachment Extraction feature.

Attachment Extraction is the process of decoding an attachment from an incoming message, and saving it into a directory that is accessible from the VPOP3 computer. These attachments may optionally be removed from the message, before being allocated to the recipient(s).

  • Extract attachments to directory - This allows you to specify any folder that is accessible by VPOP3. Assuming a default installation, the default path is c:\vpop3\_attach. If you plan to allow the users to view the attachments, you would normally pick a shared directory on the network and enter the UNC path. The UNC path is important; not only because VPOP3 normally runs as the Local System user and so doesn't have access to mapped drives, but also because users are issued with a link to the file, when the file is removed from the message. The UNC path should make it easier to access the file, provided that the appropriate network permissions have been set.

The attachments directory can include tags, which will be replaced by a dynamic value, such as:

  • %subject% - The message subject, but with some characters replaced with underscores
  • %year% - Four digit year
  • %month% - Two digit month
  • %day% - Two digit day of the month
  • %hour% - Two digit hour (0-23)
  • %minute% - Two digit minute
  • %date% - In the format of the locale date on the server
  • %dow% - A numeric representation of the day of the week (0-6). Sunday is 0, Monday is 1, Tuesday is 2, etc.

There are four processing options

  • Leave attachments in the original message - If this is unchecked, attachments will be removed from the email, and the message will contain links to the file(s) stored in the attachments directory.
  • Put attachments in subdirectories by message subject
  • Put attachments in subdirectories by receipt date - An alternative to storing attachments in subdirectories by message subject.
  • Resolve filename conflicts - Give an attachments an alternative name, instead of overwriting a file that is already there.
reference/attachment_processing.txt · Last modified: 2018/11/14 10:45 by 127.0.0.1