Threat reduction by filetype: Blocking email attachment by various methods

  • Article ID: 11353
  • Rating:
  • 2 customers rated this article 3.5 out of 6
  • Updated: 11 Apr 2014

PureMessage for Microsoft Exchange can block selected attachments by filetype, name and multiple extensions.

This article provides information blocking threats by filetype.

Applies to the following Sophos product(s) and version(s)

PureMessage for Microsoft Exchange

What are the main filetypes?

The main filetypes are

  • archives (including tar, zip and RAR,)
  • self-extracting archives
  • common virus carriers
  • graphics (including GIF, JPG, TIF, BMP)
  • others (including PDF, HTML, Macintosh files, MIME, RTF).

For archives, self-extracting archives and graphics, you can exclude types of files individually.

You can also block the attachment types most likely to contain a virus:

  • Windows/DOS program files
  • UNIX or Linux program files
  • Microsoft Office documents that include macros.

Blocking by attachment name enables you to block individual files and types of files.

An alert can be sent to the administrator to inform them of the blocked attachments.

Blocking attachments by filetypes

You can block email attachments by filetype in the mail scanning page:

  1. Open the PureMessage console
  2. In the PureMessage console tree, browse to Configuration | Transport (SMTP) scanning policy | Content
  3. Choose a direction of mail flow to configure (inbound, outbound or internal mail)
  4. Check 'On restricted attachment' 
  5. Click 'define' to configure the rule
  6. Select the type of attachment from the drop down
  7. Check the attachment type(s) to block
    Note: a maximum file size can also be specified
  8. Click 'OK'.
  9. Click 'Save changes'

Blocking common virus carriers attachments

  1. Open the PureMessage console
  2. In the PureMessage console tree, browse to Configuration | Transport (SMTP) scanning policy | Content
  3. Choose a direction of mail flow to configure (inbound, outbound or internal mail)
  4. Check 'On suspicious attachment'
  5. By default 'executable' and 'object code' files are already blocked
  6. Select the type of attachment from the drop down
  7. Check the attachment type(s) to block
    Note: a maximum file size can also be specified
  8. Click 'OK'.
  9. Click 'Save changes'

Blocking specific attachment names

  1. Open the PureMessage console
  2. In the PureMessage console tree, browse to Configuration | Transport (SMTP) scanning policy | Content
  3. Choose a direction of mail flow to configure (inbound, outbound or internal mail)
  4. Check 'On restricted attachment'
  5. Click 'define' to configure the rule
  6. Move to the 'Attachment names' tab
  7. Click 'Add'
  8. Enter the name of the file(s) to block
    Note: wildcards can be used
  9. Click 'OK'.
  10. Click 'Save changes'

To block additional filetypes, use wildcards to block by attachment name. For example, to block all ASC files add '*.ASC' to the list.

Blocking attachments with multiple extensions

To block files with multiple extensions (virus writers use double extensions to hide a virus):

  1. Open the PureMessage console
  2. In the PureMessage console tree, browse to Configuration | Transport (SMTP) scanning policy | Content
  3. Choose a direction of mail flow to configure (inbound, outbound or internal mail)Select 'On suspicious attachment' and click 'define'
  4. Move to the 'Attachment names' tab
  5. By default the option 'Block all files with multiple extensions' is already set
  6. Click 'Add' to provide any exclusions for multiple extensions, e.g. tar.gz, *.pdf, etc
    Note: If you want to allow hello.101.txt both *.txt and *.*.txt will allow the attachment to be delivered.  Hence the double dot wildcarding is not actually required.
  7. Click 'OK'
  8. Click 'Save changes'

See the PureMessage for Microsoft Exchange manual for more information.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments