close
Mailspect Documentation
Attachment filtering by extension and mime type

In order to filter attachment name by file name extension and/or MIME type we'll use boorex engine and contentfilter scanner. For attachment names filtering there will be 4 categories of expressions: video, images, audio and documents which can be enabled as comma separated values for attachment_filter option in each policy where contentfilter engine is used. The same for MIME type filtering we'll define and enable 4 categories of expressions for header_filter option.

Sample XML configuration is available below:

<mppd>
<common>
........

</common>

<groups>
 <group id="default">
 
  <scanner>
   <scan_engines>contentfilter</scan_engines>
  </scanner>

 <contentfilter>
  <attachment_filter>video,audio,images,documents</attachment_filter>
  <attachment_filter_enable>yes</attachment_filter_enable>
  <header_filter>video_mime,audio_mime,image_mime,document_mime</header_filter>
  <header_filter_enable>yes</header_filter_enable>
 </contentfilter>

 <actions>
  <on_unauthorized_attachment>quarantine</on_unauthorized_attachment>
  <on_unauthorized_header>quarantine</on_unauthorized_header>

 <!-- per boorex engine action -->
 <on_unauthorized_header if_engine="text_mime">pass</on_unauthorized_header>

 <!-- per expression id action -->
  <on_unauthorized_attachment if_result="ms_word">pass</on_unauthorized_attachment>

 </action>
 </group>

 <group id="audio">
  <address_memberlist type="both">somedomain.com, 12.12.32.81/255, anotherdomain.com</address_memberlist>
    <contentfilter>
    <attachment_filter>audio,documents</attachment_filter>
    <attachment_filter_enable>yes</attachment_filter_enable>
    </contentfilter>
       </group>
   </groups>

 <engines>
    <boorex id="video">
        <file id="by_file_name" options="perl,match_perl,icase">/usr/local/MPP/cf/video_extensions</file>
    </boorex>

    <boorex id="images">
        <file id="by_file_name" options="perl,match_perl,icase">/usr/local/MPP/cf/images_extensions</file>
   </boorex>

    <boorex id="audio">
        <file id="by_file_name" options="perl,match_perl,icase">/usr/local/MPP/cf/audio_extensions</file>
    </boorex>

    <boorex id="documents">
        <file id="by_file_name" options="perl,match_perl,icase">/usr/local/MPP/cf/documents_extensions</file>
     </boorex>

    <boorex id="video_mime">
        <i id="by_mime_type">(^|\n)Content-Type:[^\n]*video/[^\n]*($|\n)</i>
    </boorex>

    <boorex id="image_mime">
        <i id="by_mime_type">(^|\n)Content-Type:[^\n]*image/[^\n]*($|\n)</i>
    </boorex>
    
    <boorex id="audio_mime">
        <i id="by_mime_type">(^|\n)Content-Type:[^\n]*audio/[^\n]*($|\n)</i>
    </boorex>

    <boorex id="document_mime">
        <i id="by_mime_type">(^|\n)Content-Type:[^\n]*text/[^\n]*($|\n)</i>
    </boorex>

  </engines>
</mppd>

Expression files

Contents of /usr/local/MPP/cf/video_extensions

(.*\.mp.*)      mpeg
(.*\.avi$)      avi
(.*\.(mov$|qt$))        quicktime
(.*\.(asf$|asr$|asx$))  ms_asf
(.*\.wmv$)      win_movie

Contents of /usr/local/MPP/cf/images_extensions

(.*\.jp.*)      jpeg
(.*\.gif$)      gif
(.*\.png$)      png
(.*\.svg$)      svg
(.*\.tif.*)     tiff

Contents of /usr/local/MPP/cf/audio_extensions

(.*\.mp3$)      mp3
(.*\.((m3u$)|(pls$)))   playlist
(.*\.mid$)      midi

Contents of /usr/local/MPP/cf/documents_extensions

(.*\.txt)       txt
(.*\.(html$|htm$))      html
(.*\.xml$)      xml
(.*\.(doc$|docx$))      ms_word
(.*\.(sxw$|odt$|ods$))  openoffice_doc

All boorex id's have been enabled and on unauthorized content for attachment names, the message will be quarantined. Sample MPP log snippet is available bellow:

[17:55:09] 6 [b0485000] [BoorexJob] [ProcessNextMIMEItem] {4c61684c0001} Unauthorized attachment name "9222-CanalPlus.wmv" found: video.win_movie
[17:55:09] 2 [b0485000] [GenericScannerJob] [RPT] {4c61684c0001} Below is a summary of malicious content:
[17:55:09] 2 [b0485000] [GenericScannerJob] [RPT] {4c61684c0001} 0. [Scanner Name] contentfilter [Infection type] video.win_movie [Disinfectable] No [Location] Attachment: 9222-CanalPlus.wmv 
[17:55:09] 6 [b0485000] [FindDestinationJob] {4c61684c0001} Decision path:QS/DS

[17:56:09] 6 [b0485000] [BoorexJob] [ProcessNextMIMEItem] {4c6168890003} Unauthorized attachment name "Picture 1-1.png" found: images.png

[17:56:09] 2 [b0485000] [GenericScannerJob] [RPT] {4c6168890003} Below is a summary of malicious content:
[17:56:09] 2 [b0485000] [GenericScannerJob] [RPT] {4c6168890003} 0. [Scanner Name] contentfilter [Infection type] images.png [Disinfectable] No [Location] Attachment: Picture 1-1.png 
[17:56:09] 6 [b0485000] [FindDestinationJob] {4c6168890003} Decision path:QS/DS