The Microsoft Exchange Edge Transport
server can also filter content within attachments of a message. There
are times when an organization wants to prevent offensive or malicious
content being stored in a Word document, Hypertext Markup Language
(HTML) attachment, and so on from being transmitted to users in a
network, so a filter can be configured to identify and handle incoming
attachment messages.
Understanding Attachment Filtering Processing
A
powerful tool in the fight against computer viruses and other malicious
email attachments is the use of attachment filtering. Attachment
filtering allows you to identify a specific filename or all files of a
particular type using Multipurpose Internet Mail Extensions (MIME)
recognition. Attachment filtering can be applied to both incoming and
outgoing email. This allows you the flexibility of implementing
attachment distribution that complies with business requirements or
policy. For example, you can choose to block all executable file types
(for example, .bat, .exe, .scr) on inbound
email to help prevent the spread of new computer viruses or
distribution of unacceptable content. On outbound connections, you
could elect to block distribution of particular files by name (for
example, tradesecrets.doc, salaryinfo.xls), which
can help prevent proprietary information from being accidentally or
purposefully distributed. SMTP Send and Receive Connectors can be
included or excluded from attachment filtering.
Note
Changes
described in this section are applied only to the local system. This is
important if you have more than one Edge Transport server in your
environment.
Planning Attachment Filtering Processing
One
limitation to attachment filtering is that it can only be configured
using the Exchange Management Shell. No attachment filtering options
are available in the Exchange Management Console.
Exchange
2007, Outlook 2007, and Active Directory’s Group Policy can work
together to orchestrate implementation of an organization’s policy on
email attachments. Outlook 2007 includes an enabled default list of
Level 1 attachments—attachments that will not be allowed. The Level 1
attachment list was derived from their known or potential ability to
carry malicious code. Level 2 attachments are attachments that will
initiate a prompt suggesting the user first download the attachment
prior to running it. This allows any locally installed antivirus
product the opportunity to scan the attachment for viral code that
might have bypassed email virus scanning, albeit a rare circumstance,
but not impossible. By default, there are no Level 2 file types defined
in Outlook 2007.
There are over 70 Level 1
files included in Outlook 2007. Some examples of Level 1 file types are
shown in the following list. For a complete list, refer to the
Microsoft Outlook 2007 documentation.
Using
Group Policy, an administrator can “open up” Level 1 attachments to
users so they can choose whether to accept the attachment and/or make
modifications to the Level 1 and Level 2 attachment lists.
Alternatively, administrators can take full control of this
functionality. This flexibility, unfortunately, can pose a security
risk. To offset this risk, administrators can use the attachment
filtering component on an Edge Transport server to block specific
attachments, regardless of the configuration in place on internal email
systems.
First, you need to determine what
attachments and/or types of attachments you want blocked and in what
direction(s) attachment filtering should take place: inbound, outbound,
or both. If you will be blocking a specific attachment, implement the
block using the filename. If you want to block all email attachments of
a specific type, add the file extension so it can be identified by its
MIME type, regardless of the filename.
After
you have decided on which attached files or file types you want to
identify in email messages, you also need to determine what you want to
do with messages containing those attachments. The default action is to
block the attachment and the message (Reject). The available actions
you can take on messages and attachments defined in the attachment
filter include the following:
Reject— Stops delivery of the message and attachments to the recipient and sends an undeliverable response to the sender.
Strip—
Delivers the message to the recipient, replacing the attachment in the
message with a notification it has been removed. Any attachment not
listed in the attachment filter will still be available to the
recipient.
SilentDelete—
Similar to the Reject action in that the message and attachment aren’t
delivered; however, the SilentDelete action does not send an
undeliverable notification to the sender.
Using the Exchange Management Shell to Configure Attachment Filtering
Attachment
filtering, as previously mentioned, can only be configured through the
Exchange Management Shell. Each shell command has its own parameters
you can set based on the action(s) performed by the command. There are
four commands: Get, Add, Remove, and Set. Each command works with one or more IP Block and Allow List components.
The Get- command is used to retrieve the configuration of a component. For example, entering Get-AttachmentFilterEntry filename displays the result of whether that file is being identified in messages.
The Add- command can be used to add an entry to the Attachment Filter Agent. The following example adds a filename to be blocked.
add-AttachmentFilterEntry -name virus.exe -type FileName
The Remove- command can be used to remove an attachment filter entry. The following example removes an entry by filename.
remove-AttachmentFilterEntry -Identity filename:virus.exe
The Set-
command allows an administrator to modify the configuration of the
attachment filter. In attachment filtering, it is primarily used to set
the action. The following example configures the action and response
options.
Set-AttachmentFilterListConfig -Action Reject -RejectResponse "Attachment type not allowed."
