Block Dangerous File Attachments with Exchange Server 2010


To totally unlock this section you need to Log-in


Login
Ever since the first email viruses appeared the risk of file attachments in emails has been an important one for businesses to take seriously. To make it possible to manage this risk Exchange Server 2010 includes the feature to block file attachments in emails at the server level.

The attachment filter is available in the Edge Transport server role for Exchange Server 2010. The Edge Transport server is designed to be an internet-facing email gateway, usually located in the DMZ of a corporate network. It allows an organization to block spam and viruses, as well as make filtering decisions based on content and other message attributes.

The attachment filter agent is installed and enabled by default on Edge Transport servers.

Block Dangerous File Attachments with Exchange Server 2010

Block Dangerous File Attachments with Exchange Server 2010

You’ll notice it is one of the lowest priority filtering agents on the server. This is because other agents such as the Connection Filtering agent can detect and block spam using more efficient decision making criteria such as the IP address of the sending server.

There are three ways to filter file attachments:

  • By filename (eg trojan.exe)
  • By file extension (eg *.vbs)
  • By file MIME content type (eg application/hta)
  • When an attachment meets the set criteria there are then three actions that can be taken:

  • Block the entire message including the attachment. A notification is sent to the sender with the reason for the message being blocked.
  • Remove the attachment and allow the message to continue through. The attachment is replaced by a text file explaining that the action has occurred.
  • Delete the message and attachment with no notification to sender or recipient.
  • There are two additional configuration options for filtering actions:

  • When an entire message is blocked the rejection email can be customized;
  • Any filtering rule can be configured with an exception for specific Connectors on the Edge Transport server (eg a secure Connector to a trusted partner).
  • Examples of Attachment Filter Configuration

    The attachment filter comes pre-configured with a reasonable sized list of file extensions and a handful of MIME types. The default configuration is to strip those file types.

    [PS] C:>Get-AttachmentFilterListConfig
    
    Name : Transport Settings
    RejectResponse : Message rejected due to unacceptable attachments
    AdminMessage : This attachment was removed.
    Action : Strip

    You can add additional filter entries as required. For example, to add a MIME type for PDF you would run this command.

    Add-AttachmentFilterEntry –Name application/pdf –Type ContentType
    

    Next you can configure the filtering rule to block all messages instead of just stripping them.

    Set-AttachmentFilterListConfig –Action Reject –RejectResponse
    
    “The email you sent contained an attachment type that is not permitted.
    Your message has not been delivered. Please remove the attachment before
    resending your message.”

    Downsides of Exchange 2010 Attachment Filtering

    Although it provides effective filtering of file attachments a downside of this implementation is that it is an all or nothing approach. There is only one attachment filtering rule configurable on the server, and the only deviation from that rule is to exempt certain Connectors from it.

    There is an argument that granularity is not necessary for this feature, and that an organization can set a single “banned attachments” policy without needing to be specific about which messages are only stripped and which ones are outright blocked. However many organizations prefer the flexibility of multiple rules.

    Another downside is the limited capability to scan files contained within compression formats, with only .zip and .lzh formats supported by the built-in attachment filter. There is also no option to deal with encrypted files, for example password protected Zip files.

    Overall the feature is reasonably effective, a little cumbersome to configure and manage, with a few frustrating downsides mentioned above.