Show/Hide Toolbars

To get to this page, go to Settings → Attachment Processing → Filtering

attachmentfiltering_zoom50

This page lets you configure how VPOP3 will filtering incoming and locally sent attachments. This screenshot is from VPOP3 v6.20. Earlier versions did not have some of the options or facilities listed here.

The Attachment filenames to filter section lets you select which attachments are to be filtered. Prior to VPOP3 v6.9 this could only contain file names (including DOS style wildcards - ? and *), with one name on a line. In version 6.9 we added the facility for more flexible advanced conditions.

The default filter patterns are:

Pattern

Explanation

*.vbs

Files with a .vbs extension will typically run as Visual Basic Scripts.

*.{????????-????-????-????-????????????}

Filenames ending in a GUID (Globally Unique Identifier) - These files could instruct Windows to open the file in a particular program, or as an executable, irrespective of the actual filename extension. Note: GUIDs only contain hexadecimal characters (numbers 0-9 and letters A-F), but this pattern would also match for non-hexadecimal characters.

*.hta

Files with a .hta extension will typically run as HTML applications; potentially allowing the use of JScript and VBScript.

*.???.???

Files with a 'double' filename extension are commonly used to distract the recipient. For example, by naming a file photo.jpg.exe, the sender could exploit users who do not have the technical knowledge to realise that the file is an application and not a picture.

*          *.*

Files with at least 10 consecutive spaces in the filename. There are few legitimate reasons for using 10 consecutive spaces, so it is likely to be an exploit attempt. Using a lot of spaces may obscure the filename extension in some mail clients, or may make the attachment look like two distinct files.

*.

Windows will disregard the dot at the end of a filename, so there is very little reason for a filename legitimately ending with a dot. An attacker may try using a dot at the end of the filename, in order to circumvent other filtering rules.

*.pif

Files with a .pif extension will typically be Program Information Files for Windows. They can be used to transmit viruses.

The Filter attachments in ZIP files option tells VPOP3 to look for the filter patterns inside ZIP files. If you use the advanced filtering condition rules, you can override this setting for each rule if you wish.

The Block password protected ZIP files option tells VPOP3 to block any ZIP files which are password protected - this is because these are often used to bypass virus scanners, which cannot scan files inside protected ZIP files. If you use the advanced filtering condition rules, you can specify different filtering conditions for protected ZIP files if you wish.

Last 10 attachments blocked

In VPOP3 v6.16 and later there is a Last 10 attachments blocked section which contains the times and filenames of the last 10 attachments blocked by the attachment filter.

In parentheses after the filename is more information. This is:

1.Reason Blocked (eg BlockAttachments or BlockAttachmentsInZip)

2.Type of message (SMTPLOCAL, SMTPINCOMING or POP3)

3.Sender email address

4.Rule name (this will be the line number of the rule for a basic rule, or the Rulename attribute of an advanced rule.

Note that 'BlockAttachments' doesn't mean that the attachment was blocked, just that the filter saw it - if the filter action is to rename attachments, then the attachments will have been renamed even though this displays 'BlockAttachments'.

Incoming Messages

The Check Incoming attachments option turns on attachment filtering for incoming messages (both POP3 and SMTP incoming). If this option is unchecked, then the remainder of this section's options are disabled.

The next set of radio buttons let you choose what happens if VPOP3 detects a prohibited attachment:

Remove filtered attachments from message - if this option is chosen, then VPOP3 will remove the prohibited attachment from the message, and deliver the remainder of the message on to the recipient. VPOP3 will attempt to add text to the message to indicate that an attachment has been removed. In a few cases it may not be possible to add this text, for instance if the message was in a non-standard format. Note that if this option is chosen, and the filtered attachment is inside a ZIP or TNEF (Winmail.dat) archive, then the whole archive will be removed.

Change filtered attachment extension to make it unrunnable - if this option is chosen, then VPOP3 will rename the prohibited attachment by replacing the last character of the extension to a '_' character. For instance, 'document.pdf.exe' will be renamed to 'document.pdf.ex_'. This will usually mean that the user cannot simply click on the attachment to run it, but they must save it to disk, rename it, and then open it. Hopefully this will give the user time to think and consider whether the document is something they expect and is safe, while still allowing them to receive attachments which have been filtered. Note that if the filtered attachment is in a ZIP file, then the whole ZIP file is renamed. If it is inside a TNEF (Winmail.dat) file, then the TNEF file will be removed, as there is no safe way to rename one so that it will not be opened automatically by Microsoft Outlook.

Redirect messages with filtered attachment to: - if this option is chosen, VPOP3 will redirect any message containing a prohibited attachment to the specified user. Ideally, that user should be able to judge whether the attachment is safe or not (and virus scan it if appropriate), and decide what to do with it.

Let message through unchanged - if this option is chosen, then the message is let through unchanged. This option is not recommended.

Delete message - if this option is chosen, then the message is deleted without informing the local recipient (if the 'Inform sender' options below are selected, then those will still be processed).

 

Spamfilter Score - if the message is allowed through - e.g. with renamed attachments, redirected or just allowed through unchanged, then the message will have the specified score added to the spamfilter score. This can be used to quarantine the message. For instance, on a default installation, setting this to '100' will mean that any messages with filtered attachments will be put into the spamfilter quarantine. This can be overridden for specific advanced checks.

 

The Reject incoming SMTP messages containing filtered attachments option causes VPOP3's SMTP service to issue an SMTP reject error if it detects a filtered attachment in an incoming message. This should cause the sender of the message to receive an error message from their mail server (or their ISP's mail server). This option overrides the above selection when processing incoming SMTP messages.

The Inform sender that attachments were filtered - incoming POP3 messages option tells VPOP3 to send a message to the sender of messages which were received via POP3, if they contain a filtered attachment. This may allow the sender to resend the message with a different file name or via an alternative means. Note that if the attachment filtering blocks attachments containing viruses, the returned messages may cause email backscatter because the sender's email address could have been forged.

The Inform sender that attachments were filtered - incoming SMTP messages option tells VPOP3 to send a message to the sender of incoming messages which were received via SMTP, if they contain a filtered attachment. This may allow the sender to resend the message with a different file name or via an alternative means. Note that if the attachment filtering blocks attachments containing viruses, the returned messages may cause email backscatter because the sender's email address could have been forged. It could be more appropriate to use the Reject incoming SMTP messages option above.

Outgoing Messages

The Reject outgoing messages with filtered attachments option causes VPOP3's SMTP service to issue an SMTP reject error if it detects a filtered attachment in a locally sent message. This should cause the sender of the message to receive an error message in their email client as soon as they send it.

VPOP3 will block the outgoing message with an error like:

554 5.7.1 Message prohibited (PROHIBITED FILENAME - <filename>)

 

Email Notifications

If you have enabled either of the Inform sender that attachments were filtered options, then the message which VPOP3 sends will have the sender details specified in this section. This should allow the original message sender to reply to the notification message to contact someone who will be able to tell them why the attachment wasn't allowed.

If you think this help topic could be improved, please send us constructive feedback