Show/Hide Toolbars

Navigation: Admin Settings > Settings > Attachment Processing > Filtering

Attachment Processing Advanced Filter Rules

 Scroll Prev Top Next More

In the Attachment Processing → Filtering settings, you can specify rules to indicate which attachments should be filtered.

Starting in VPOP3 version 6.9, you can specify much more advanced rules to be more specific about which attachments are to be blocked. This section describes the advanced rule syntax. Note that because this is a powerful configuration language, it may be complex to understand. The Attachment filter rules section can contain a mixture of plain wildcard filenames, and advanced rules. VPOP3 will process them in order, from top to bottom, until it finds a rule which matches.

 

An example of an advanced rule is:

{

#this rule checks for some HTML files inside ZIP files

 rulename my first attachment filter

 checkzip yes

 checknotzip no

 size < 1kb

 size >= 500

 filename extensions htm html

 content text ajax-loader

}

 

This rule will check for .HTM or .HTML files within ZIP files (but not outside of ZIP files), which are between 500 and 1023 bytes (inclusive) in size, and contain the text 'ajax-loader'.

General syntax rules:

The start of an advanced rule is indicated by having a { character on a line of its own.

The rule ends when VPOP3 sees a } character on a line of its own.

You cannot nest rules.

The rule can contain actions and conditions. Note that you can have multiple conditions of the same type, and VPOP3 will check them all.

VPOP3 processes the rule definition in order from top to bottom. Usually this doesn't matter, but in some cases it may - (eg "CheckZip Yes" followed by "CheckEncryptedZip No")

All the conditions have to match for the rule to match.

Each action or condition has to be on a line of its own.

The action/condition name and options are case insensitive. The data is case sensitive except for filename checks which are case insensitive or where specified below.

The action/condition name must be followed by a space.

Comments are indicated by lines beginning with a '#' character

Spaces at the start or end of the line are trimmed before processing

Text strings can contain \-escaped text (ie \n becomes a line-feed, \t becomes a tab character, \\ becomes \, \x41 becomes A etc)

Regular expressions should be surrounded by / characters and have options after the terminating / character (eg /word/i )

wildcardpatterns are NOT substring matches. They must match entirely. So, if you want them to be a substring match, surround them with * characters - ie don't just use fred, use *fred*.

 

Variables

Advanced rules have very basic support for variables (to pass data between rules). Variable names cannot contain spaces.

Variables last for the lifetime of processing the current message, so can be used to pass variables between the checks for different attachments within a single message (eg to check for multiple attachments).

Default Variables
When a rule is processed, some variables are set to values which may be useful

${attachname} contains the name of the attachment currently being processed.

${archivename} contains the name of the attachment ZIP currently being processed (this is empty if the file being checked is not inside a ZIP file).

${mimetype} contains the MIME type of the attachment currently being processed as specified in the email message (this is empty if the file being checked is inside a ZIP file).

${messagetype} contains the 'type' of message currently being processed (SMTPINCOMING, SMTPLOCAL or POP3).

Rule Actions

In the syntax definitions below bold characters indicate text you should type as-is, italics indicate text you should replace with your own values. ( x | y) indicates options, [xx] indicates optional text.

Rulename

Syntax: Rulename rulename

Example: Rulename This is my rule

This specifies a name for the rule. This is used in logging, and can be used the Log action. If you do not specify a rule name, then the line number of the start of the rule in the filter list is used.

 

SetIfMatch

Sets/clears/updates a variable if the rule matches. Note that if the rule matches and any SetIfMatch actions are in the rule, then the rule will not trigger the 'prohibited attachment' action.

Syntax: SetIfMatch variablename Clear

Example: SetIfMatch myvar Clear

Clears the specified variable if the rule matches

 

Syntax: SetIfMatch variablename Set ( data | "data" )

Example: SetIfMatch myvar Set "This is some data  "

Sets the specified variable to the specified data if the rule matches. Quotes around the data are optional, and will be removed if they are there. If you need to set leading or trailing spaces in the variable, then you should use quotes to avoid them being trimmed. data can contain expansions (see below).

 

Syntax: SetIfMatch variablename Append ( data | "data" )

Example: SetIfMatch myvar Append bibble

Adds the specified data to the specified variable if the rule matches. Quotes around the data are optional, and will be removed if they are there. If you need to set leading or trailing spaces in the variable, then you should use quotes to avoid them being trimmed. data can contain expansions (see below).

 

Syntax: SetIfMatch variablename Replace ( data1 | "data1" ) ( data2 | "data2" )

Example: SetIfMatch myvar Replace "some words" "some more words"

Replaces data in the specified variable if the rule matches The text in data1 (case insensitive) is replaced with the text in data2. Quotes around the data are optional, and will be removed if they are there. If you need to set spaces in data1 or you need to set leading or trailing spaces in data2, then you should use quotes. data2 can contain expansions (see below).

 

Syntax: SetIfMatch variablename RegexReplace ( data1 | "data1" ) ( data2 | "data2" )

Example: SetIfMatch myvar RegexReplace "/(some|a few|\d+) cats/i" "\1 dogs"

Replaces data in the specified variable if the rule matches The regular expression data1 is replaced with the text in data2. Quotes around the data are optional, and will be removed if they are there. If you need to set spaces in data1 or you need to set leading or trailing spaces in data2, then you should use quotes.

You can use \1, \2 etc in data2 which will be replaced with the contents of the corresponding capture group from data1.

SetIfNoMatch

This sets/clears/updates a variable if the rule does not match. Other than that, it is the same as the SetIfMatch action above.

Syntax: SetIfNoMatch variablename Clear

Syntax: SetIfNoMatch variablename Set ( data | "data" )

Syntax: SetIfNoMatch variablename Append ( data | "data" )

Syntax: SetIfNoMatch variablename Replace ( data1 | "data1" ) ( data2 | "data2" )

Syntax: SetIfNoMatch variablename RegexReplace ( data1 | "data1" ) ( data2 | "data2" )

Log

This causes VPOP3 to write an entry to the VPOP3.LOG file for diagnostic purposes.

Stop

Syntax: Stop

Example: Stop

This stops the remainder of the attachment filter process if the rule matches. The rule will not trigger the 'prohibited attachment' action. This can be useful for preventing attachment filtering in some cases.

SpamScore

(Version 6.20 or later)

Syntax: SpamScore number

Example: SpamScore 200

This adds the specified number onto the spamfilter score which may affect message quarantining (note that number can be negative if you wish to use it as a 'whitelisting' mechanism).

 

Text Expansions

Some actions will expand text strings to include variables. To indicate a text expansion use ${} around a variable name. Eg ${myvar} will be replaced with the contents of the myvar variable.

Rule Conditions

CheckZip

Syntax: CheckZip ( yes | no | true | false | 1 | 0 )

Example: CheckZip no

This tells VPOP3 whether to check inside ZIP files. By default, VPOP3 will check inside ZIP files if the Filter attachments in ZIP files option is checked, and not otherwise, but this can be specified on a per-rule basis with the advanced rules. This implies both the CheckEncryptedZip and CheckUnencryptedZip options below.

CheckEncryptedZip

Syntax: CheckEncryptedZip ( yes | no | true | false | 1 | 0 )

Example: CheckEncryptedZip yes

This tells VPOP3 whether to check inside encrypted ZIP files. By default, VPOP3 will check inside all ZIP files if the Filter attachments in ZIP files option is checked, and not otherwise, but this can be specified on a per-rule basis with the advanced rules. Note that the content of encrypted ZIP files cannot be tested, but the filenames and compressed & uncompressed sizes can be tested.

CheckUnencryptedZip

Syntax: CheckUnencryptedZip ( yes | no | true | false | 1 | 0 )

Example: CheckUnencryptedZip 1

This tells VPOP3 whether to check inside unencrypted ZIP files. By default, VPOP3 will check inside all ZIP files if the Filter attachments in ZIP files option is checked, and not otherwise, but this can be specified on a per-rule basis with the advanced rules.

CheckNotZip

Syntax: CheckNotZip ( yes | no | true | false | 1 | 0 )

Example: CheckNotZip 0

This tells VPOP3 whether to check files which are not inside ZIP files. By default, VPOP3 will check these files, but you can turn it off on a per-rule basis if you wish.

Size

Syntax: Size ( < | > | <= | >= | <> | != | == | = | ne | eq | le | lt | ge | gt )[ ]number[(kB|MB)]

Example: Size >100MB

This compares the size (uncompressed size) of the attachment as specified.

CompressedSize

Syntax: CompressedSize ( < | > | <= | >= | <> | != | == | = | ne | eq | le | lt | ge | gt )[ ]number[(kB|MB)]

Example: CompressedSize lt 57kb

This compares the compressed size of the attachment as specified. (If the attachment is not in a ZIP file, then the compressed size is the same as the uncompressed size.

Filename / Name

This checks the filename of the attachment as specified. Filename and Name are equivalent.

Syntax: Filename [not] text wildcardpattern

Example: Filename text *.exe

This checks the filename against the wildcard pattern specified. If not is used, then the check will match if the filename does not match the pattern. The wildcard pattern can include DOS style wildcards (* & ?).

 

Syntax: Filename [not] regex regex

Example: Filename not regex /\.exe$/i

This checks the filename against the regular expression specified. If not is used, then the check will match if the filename does not match the pattern.

 

Syntax: Filename [not] extensions ext [ext...]

Example: Filename extensions html htm js

This checks the filename against the list of extensions specified (1 or more). If the extension matches any of the specified extensions, then the check will match. If not is used, then the check result is inverted.

Variable / Var

This checks the contents of the specified variable. Variable and Var are equivalent.

Syntax: Variable variablename [not] text wildcardpattern

Example: Variable myvar not text aaaaa*

The specified variable's contents will be compared against the wildcard pattern specified. If not is used, then the check will match if the variable contents do not match the pattern. The wildcard pattern can include DOS style wildcards (* & ?).

 

Syntax: Variable variablename [not] regex regex

This checks the specified variable's contents against the regular expression specified. If not is used, then the check will match if the variable contents do not match the pattern.

Content

This checks the content of the attachment as specified. The contents of files inside encrypted ZIP files cannot be checked. Also, VPOP3 will only allow you to check attachments up to 100kB in size (for performance reasons). Content checks have optional start/end/length settings to allow you to limit which part of the attachment to check. The start & end default to the start and end of the attachment. You can use either end or length as you wish.

Syntax: Content [start startpos ][(end endpos | length length) ][not] md5 md5hexdigest

Example: Content start 1000 length 1000 md5 ea231b125002c3212d3278deff2f1152

Calculates the MD5 hash of the attachment (or specified portion of the attachment) and compares the hex digest to the specified value.

 

Syntax: Content [start startpos ][(end endpos | length length) ][not] text text

Example: Content end 1234 text hello

Searches for the specified text (case sensitive) in the attachment

 

Syntax: Content [start startpos ][(end endpos | length length) ][not] base64 base64encoded

Example: Content start 1000 end 2000 base64 aGVsbG8=

Searches for the specified base64 encoded data in the attachment

 

Syntax: Content [start startpos ][(end endpos | length length) ][not] hex hexbytes

Example: Content not hex 68 65 6c6c6f

Searches for the specified hex encoded data in the attachment

 

Syntax: Content [start startpos ][(end endpos | length length) ][not] regex regex

Example: Content regex /\b(hello|hi)\b/i

Searches for the specified regular expression in the attachment

 

Header

This checks the contents of the specified message header field.

Syntax: Header headerfield [not] text wildcardpattern

Example: Header subject not text aaaaa*

The specified header field will be compared against the wildcard pattern specified. The wildcard pattern can include DOS style wildcards (* & ?).

 

Syntax: Header headerfield [not] regex regex

Example: Header from regex /<[^>]+@gmail\.com>/i

This checks the specified header field  against the regular expression specified.

 

If you think this help topic could be improved, please send us constructive feedback