5 Configuring Attachment Filtering : 5.2 Creating an Attachment Filtering rule
5.2
Creating an Attachment Filtering rule
To create an Attachment Filtering rule:
1. Click the GFI MailSecurity ► Attachment Filtering node.
2. From the Attachment Filtering page (in the right window), click Add Rule.
C:\Documents and Settings\ozammit\My Documents\MSEC\Manual\images\attachment checking general tab.png
Screenshot 53 - Attachment Filtering: General Tab
3. Specify the name of the rule and select whether to apply this rule to inbound and/or outbound emails by selecting the respective check boxes.
4. Decide on the type of attachment blocking required:
Block all - Select this option to block email attachments of any type.
Block this list - Select this option to block ONLY the listed attachment types.
Block all except this list - Select this option to block attachment types that are not included in the list.
NOTE: To add an attachment type to the list, input the required full file name or file extension in the box next to the Add button. When ready, click Add. You can use asterisk (*) wildcards to replace characters or strings in the attachment type/extension. For example, specifying *orders*.mdb blocks all mdb files which contain the string 'orders' in the file name. Specifying *.jpg will block all jpg files.
NOTE: To remove an entry from the list, select it and click Remove Selected.
5. Additionally, you can specify a file size in kilobytes as a threshold. This has the effect of blocking all attachments with a file size bigger than the one you specify irrespective of whether it matches an entry in the list. To enable this option, select the Block all files greater than the following size in Kb check box and specify the maximum file size (in KB) allowed without blocking.
C:\Documents and Settings\ozammit\My Documents\MSEC\Manual\images\attachment checking actions tab.png
Screenshot 54 - Attachment Filtering: Actions Tab
6. After you have specified what the attachment rule should check for, you must specify what this rule should do whenever it finds the specified attachment(s). Click the Actions tab to open the rule actions configuration page.
7. Select the Block attachment and perform this action check box if you want to quarantine, delete or move the blocked emails to a particular folder. Additionally, select one of the following options:
Quarantine email: Select this option to quarantine the email containing the attachment for review by an administrator. For more information, refer to Quarantine chapter in this manual.
Delete email: Select this option to delete the email and attachment completely.
Move to folder: This option will move the email to the specified folder. Input the folder name in the box provided underneath this option.
NOTE: Please note that you cannot configure actions to affect a single attachment within an email. Actions will always affect the whole email containing the attachment.
8. You can configure an attachment rule to send email notifications to the administrator and/or user whenever an email containing an attachment is blocked. You can configure the required notifications by selecting any of the following options:
Notify local user: Select this option if you want to notify the email local users when this filter blocks an attachment.
NOTE: If a threat is detected in an outbound email, the recipients will receive the original email with the malicious parts removed. A security notice is attached to the email to inform the recipients what email parts were removed and for what reason. This behavior is always enabled and is not affected by this setting.
Notify administrator: Select this option if you want to send email notifications to the administrator whenever an email containing an attachment is blocked. The administrator’s email address is specified during the installation of GFI MailSecurity but can still be changed from the GFI MailSecurity configuration (GFI MailSecurity ► Settings node ► General tab). For more information refer to Define the administrator’s email address section in this manual.
9. Select the Log rule occurrence to this file check box and specify a log file name in the box below, if you want to log all rule activity to a log file. You can specify either the file name only or else the full path to a custom location on disk.
NOTE: You can configure an attachment rule using any combination of actions. For example, you can opt not to block emails containing the attachment, but to simply notify the user or log the occurrence to file.
10. Now, you must specify the users to whom this rule applies. By default, GFI MailSecurity will apply the rule to all email users. However, if you want this rule to affect a selection of users only, click the Users/Folders tab.
Screenshot 55 - Attachment Filtering: Users/Folders Tab
11. Choose one of the following options:
Only this list - Select this option if you want to apply this rule to all email users/groups or public folders present in the list.
All except this list - Select this option if you want to apply this rule to all email users, groups or public folders NOT present in the list.
12. To add email users, user groups and/or public folders to the list, click Add.
C:\Documents and Settings\ozammit\My Documents\MSEC\Manual\images\attachment checking add users dialog.png
Screenshot 56 - Add users to an attachment Filtering rule
13. In the add users window, specify the name of the email user/user group or public folder that you wish to add to the list.
14. Click Check Names to query the Active Directory or the imported list of SMTP addresses (depending on how you installed GFI MailSecurity), to check if the specified entry exists. Any user, group or public folder that matches will be listed below.
NOTE: You do not need to input the full name of the user/user group or public folder. It is enough to enter at least three characters. GFI MailSecurity will list all the names that contain the specified characters. For example, if you input ‘ott’, GFI MailSecurity will return names like ‘Scott Adams’ and ‘Freeman Prescott‘, if they are available.
15. Select the check box at the start of the listed name(s) to indicate the ones that you wish to add to the list and click OK.
NOTE: You can select all the listed names at once by selecting the check box next to the Name column heading at the top-left of the list.
NOTE: Repeat steps 12 to 15 to add all the users you want to the list.
NOTE: To remove entries from the list, select the user/user group/public folder you want to remove and click Remove.
NOTE: If no names are included in the list, GFI MailSecurity will automatically apply this rule to all the email users in Active Directory/SMTP address list.
16. Click Apply.