Sidebar
reference:attachment_processing
This is an old revision of the document!
Table of Contents
Settings -> Attachment Processing
The Attachment Processing page allows you to configure VPOP3 to perform two distinct functions on messages that contain attachments:
Filtering
The Filtering tab is divided into four main sections:
Attachment Filtering
Attachment filtering is applied when a new message is received by VPOP3. The Attachment filenames to filter box allows you to use basic pattern matching, so that VPOP3 will only filter certain attachments; for instance, if the file has a filename extension, which would enable a malicious file to accidentally be run by the recipient.
The syntax for pattern matching is to type specific characters, where they will appear, and substitute a single, but unknown character with ?, and substitute an unknown number of characters with *.
e.g. ?x*.txt will match filenames such as example.txt and Oxford.txt, but because the ? character will only represent a substitution of one character, it will not match Texas.txt
Default filtered filenames
| Pattern | Explanation |
|---|---|
*.vbs | Files with a .vbs extension will typically run as Visual Basic Scripts. |
*.{????????-????-????-????-????????????}
| Filenames ending in a GUID (Globally Unique Identifier) - These files could instruct Windows to open the file in a particular program, or as an executable, irrespective of the actual filename extension. Note: GUIDs only contain hexadecimal characters (numbers 0-9 and letters A-F), but this pattern would also match for non-hexadecimal characters. |
*.hta | Files with a .hta extension will typically run as HTML applications; potentially allowing the use of JScript and VBScript. |
*.???.??? | Files with a 'double' filename extension are commonly used to distract the recipient. For example, by naming a file photo.jpg.exe, the sender could exploit users who do not have the technical knowledge to realise that the file is an application and not a picture. |
* *.* | Files with at least 10 consecutive spaces in the filename. There are few legitimate reasons for using 10 consecutive spaces, so it is likely to be an exploit attempt. Using a lot of spaces may obscure the filename extension in some mail clients, or may make the attachment look like two distinct files. |
*. | Windows will disregard the dot at the end of a filename, so there is very little reason for a filename legitimately ending with a dot. An attacker may try using a dot at the end of the filename, in order to circumvent other filtering rules. |
*.pif | Files with a .pif extension will typically be Program Information Files for DOS. They can be used to transmit viruses. |
There are two checkboxes in this section:
- Filter attachments in ZIP files - If the incoming attachment is a Zip file, checking this box will instruct VPOP3 to filter the contents of the Zip file. Note: VPOP3 would not look for files contained within Zip files that are themselves contained within another Zip file.
- Block password protected ZIP files - VPOP3 is unable to inspect the contents of a password protected zip file, so checking this box will instruct VPOP3 to automatically filter all password protected Zip files, as a precaution.
Incoming Messages
There are various attachment processing options for incoming messages:
- Check incoming attachments - Whether filtering is enabled for incoming messages
- Remove filtered attachments from message
- Change filtered attachment extension to make it unrunnable - This is achieved by replacing the final character of the filename extension with an underscore (_). Users should be able to open the file by renaming the extension, but this extra step will normally deter users from opening the file, unless they know what they are doing.
- Redirect messages with filtered attachment to: [-] - A specific user may be given the responsibility of reviewing messages with filtered attachments.
- Inform sender that attachments were filtered
Outgoing Messages
Email notifications
Filtering Conditions
Extraction
reference/attachment_processing.1343060884.txt.gz · Last modified: 2018/11/14 10:44 (external edit)
