User Guide

9-84

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 9 Using Message Filters to Enforce Email Policies

Attachment Scanning

In the following example, the attachment is scanned for a pattern in the binary data. The filter uses the

attachment-binary-contains filter rule to search for a pattern that indicates that the PDF document is

encrypted. If the pattern is present in the binary data, a custom header is inserted:

Dropping Attachments by File Type

In the following example, the “executable” group of attachments (.exe, .dll, and .scr) is stripped from

messages and text is added to the message, listing the filenames of the dropped files (via the

$dropped_filename action variable). Note that the drop-attachments-by-filetype action examines

attachments and strips them based on the fingerprint of the file, and not just the three-letter filename

extension. Note also that you can specify a single file type (“mpeg”) or you can refer to all of the

members of the file type (“Media”):

In the following example, the same “executable” group of attachments (

.exe, .dll, and .scr) are

stripped from messages whose Envelope Sender is not within the domain

example.com.

insert-header("X-Example-Approval", "AttachOK");

}

match_PDF_Encrypt:

if (attachment-filetype == 'pdf' AND

attachment-binary-contains('/Encrypt')){

strip-header (‘Subject’);

insert-header (‘Subject’, ‘[Encrypted] $Subject’);

}

strip_all_exes: if (true) {

drop-attachments-by-filetype ('Executable', “Removed attachment:

$dropped_filename”);

}

strip_inbound_exes: if (mail-from != "@example\\.com$") {

drop-attachments-by-filetype ('Executable');

}