Attachment Filtering

Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.

 

Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3

In Microsoft Exchange Server 2007, attachment filtering lets you apply filters at the server level to control the attachments that users receive. Attachment filtering is increasingly important in today's environment, where many attachments contain harmful viruses or inappropriate material that may cause significant damage to the user's computer or to the organization as a whole by damaging important documentation or releasing sensitive information to the public.

Note

As a best practice, don't remove attachments from digitally signed, encrypted, or rights-protected e-mail messages. If you remove attachments from such messages, you invalidate the digitally signed messages and make encrypted and rights-protected messages unreadable.

Types of Attachment Filtering in Exchange 2007

You can use the following types of attachment filtering to control attachments that enter or leave your organization:

  • Filtering based on file name or file name extension   You can filter attachments by specifying the exact file name or file name extension to be filtered. An example of an exact file name filter is BadFilename.exe. An example of a file name extension filter is *.exe.

  • Filtering based on file MIME content type   You can also filter attachments by specifying the MIME content type to be filtered. MIME content types indicate what the attachment is, whether it is a JPEG image, an executable file, a Microsoft Office Excel 2003 file, or some other file type. Content types are expressed as type/subtype. For example, the JPEG image content type is expressed as image/jpeg.

    To view a complete list of all file name extensions and content types that attachment filtering can filter on, run the following command:

    Get-AttachmentFilterEntry | FL
    

    To run the Get-AttachmentFilterEntry cmdlet on a computer that is joined to a domain, you the account you use must be delegated Exchange View-Only Administrators role.

    To run the Get-AttachmentFilterEntry cmdlet on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.

    For more information about permissions, delegating roles, and the rights that are required to administer Exchange Server 2007, see Permission Considerations.

If an attachment matches one of these filtering criteria, you can configure one of the following actions to be performed on the attachment:

  • Block whole message and attachment   An attachment that matches an attachment filter together with its whole e-mail message can be blocked from entering the messaging system. If an attachment and e-mail message are blocked, the sender receives a delivery status notification (DSN) message that states that the message contains an unacceptable attachment file name.

  • Strip attachment but allow message through   An attachment that matches an attachment filter can be removed whereas the e-mail message and any other attachments that do not match the filter are allowed through. If an attachment is stripped, it is replaced with a text file that explains why the attachment was removed. This action is the default setting.

  • Silently delete message and attachment   An attachment that matches an attachment filter together with its whole e-mail message can be blocked from entering the messaging system. If an attachment and e-mail message are blocked, neither the sender nor the recipient receives notification.

    Warning

    You cannot retrieve e-mail messages and attachments that are blocked or attachments that are stripped. When you configure attachment filters, make sure that you carefully examine all possible file name matches and verify that legitimate attachments will not be affected by the filter.

For more information, see How to Configure Attachment Filtering.

File Filtering by Using Forefront Security for Exchange Server

The file filtering functionality that is provided by Microsoft Forefront Security for Exchange Server includes advanced features that are unavailable in the default Attachment Filter agent that is included with Microsoft Exchange Server 2007 Standard Edition.

For example, container files, which are files that contain other files, can be scanned for offending file types. Forefront Security for Exchange Server filtering can scan the following container files and act upon embedded files:

  • PKZip (.zip)

  • GNU Zip (.gzip)

  • Self-extracting ZIP archives

  • Zip files (.zip)

  • Java archive (.jar)

  • TNEF (winmail.dat)

  • Structured storage (.doc, .xls, .ppt, etc.)

  • MIME (.eml)

  • SMIME (.eml)

  • UUEncode (.uue)

  • Unix tape archive (.tar)

  • RAR archive (.rar)

  • MACBinary (.bin)

Note

The default Attachment Filter agent that is included with Exchange Server 2007 Standard Edition detects file types even if they have been renamed. Attachment filtering also makes sure that compressed Zip and LZH files do not contain blocked attachments by performing a file name extension match against the files in the compressed Zip or LZH file. Forefront Security for Exchange Server file filtering has the additional capability of determining if a blocked attachment has been renamed within a container file.

You can also filter files by file size. Additionally, you can configure Forefront Security for Exchange Server to quarantine filtered files or to send e-mail notifications based on file filter matches.

For more information, see Microsoft Forefront Security for Exchange Server User Guide.