Understanding Attachment Filtering
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2011-04-28
In Microsoft Exchange Server 2010, you can use attachment filtering to apply filters at the server level to control the attachments that users receive. Attachment filtering is increasingly important in today's environment, where many attachments contain harmful viruses or inappropriate material that may cause significant damage to the user's computer or to the organization as a whole by damaging important documentation or releasing sensitive information to the public.
|As a best practice, don't remove attachments from digitally signed, encrypted, or rights-protected e-mail messages. If you remove attachments from such messages, you invalidate the digitally signed messages and make encrypted and rights-protected messages unreadable.|
Looking for management tasks related to anti-spam and antivirus functionality? See Managing Anti-Spam and Antivirus Features.
You can use the following types of attachment filtering to control attachments that enter or leave your organization:
- Filtering based on file name or file name extension You can filter attachments by specifying the exact file name or file name extension to be filtered. An example of an exact file name filter is BadFilename.exe. An example of a file name extension filter is *.exe.
- Filtering based on file MIME content type You can also filter attachments by specifying the MIME content type to be filtered. MIME content types indicate what the attachment is, whether it is a JPEG image, an executable file, a Microsoft Office Excel file, or some other file type. E-mail attachments are encoded in e-mail messages as ASCII text. E-mail servers and clients use the information about MIME content type to decode the ASCII text information in an e-mail message and convert it into a usable binary file familiar to the user. Content types are expressed as
type/subtype. For example, the JPEG image content type is expressed as
To view a complete list of all file name extensions and content types that attachment filtering can filter on, run the following command.
Get-AttachmentFilterEntry | FL
If an attachment matches one of these filtering criteria, you can configure one of the following actions to be performed on the attachment:
- Block whole message and attachment An attachment that matches an attachment filter together with its whole e-mail message can be blocked from entering the messaging system. If an attachment and e-mail message are blocked, the sender receives a delivery status notification (DSN) message that states that the message contains an unacceptable attachment file name.
- Strip attachment but allow message through An attachment that matches an attachment filter can be removed whereas the e-mail message and any other attachments that don't match the filter are allowed through. If an attachment is stripped, it's replaced with a text file that explains why the attachment was removed. This action is the default setting.
- Silently delete message and attachment An attachment that matches an attachment filter together with its whole e-mail message can be blocked from entering the messaging system. If an attachment and e-mail message are blocked, neither the sender nor the recipient receives notification.
Caution: You can't retrieve e-mail messages and attachments that are blocked or attachments that are stripped. When you configure attachment filters, make sure that you carefully examine all possible file name matches and verify that legitimate attachments won't be affected by the filter.
- RejectResponse This parameter specifies the string response included in the non-delivery report (NDR) message if an e-mail message that has a filtered e-mail attachment is returned to the sender.
For more information, see Configure Attachment Filtering.
The file filtering functionality provided by Microsoft Forefront Protection 2010 for Exchange Server includes advanced features that are unavailable in the default Attachment Filter agent included with Exchange 2010 Standard Edition.
For example, container files, which are files that contain other files, can be scanned for offending file types. Forefront Protection for Exchange Server filtering can scan the following container files and act upon embedded files:
GNU Zip (.gzip)
Self-extracting compressed file archives (.zip)
Compressed files (.zip)
Java archive (.jar)
Structured storage (.doc, .xls, .ppt, and others)
UNIX tape archive (.tar)
RAR archive (.rar)
Note: The default Attachment Filter agent included with Exchange 2010 Standard Edition detects file types even if they have been renamed. Attachment filtering also makes sure that compressed files with a .zip or .lzh file name extension don't contain blocked attachments by performing a file name extension match against the files in the compressed files. Forefront Protection for Exchange Server file filtering has the additional capability of determining if a blocked attachment has been renamed within a container file.
You can also filter files by file size. Additionally, you can configure Forefront Security for Exchange Server to quarantine filtered files or to send e-mail notifications based on file filter matches.
For more information, see Microsoft Forefront Protection 2010 for Exchange Server.