IronPort - advanced configuration guide

Chapter 6 Using Message Filters to Enforce Email Policies
OL-25137-01
In the following example, the attachment is scanned for a pattern in the binary data. The filter uses the
attachment-binary-contains filter rule to search for a pattern that indicates that the PDF document is
encrypted. If the pattern is present in the binary data, a custom header is inserted:
match_PDF_Encrypt:
if (attachment-filetype == 'pdf' AND
Dropping Attachments by File Type
attachment-binary-contains('/Encrypt')){
strip-header (‘Subject’);
insert-header (‘Subject’, ‘[Encrypted] $Subject’);
}
In the following example, the “executable” group of attachments (.exe, .dll, and .scr) is stripped from
messages and text is added to the message, listing the filenames of the dropped files (via the
$dropped_filename action variable). Note that the drop-attachments-by-filetype action examines
attachments and strips them based on the fingerprint of the file, and not just the three-letter filename
extension. Note also that you can specify a single filetype (“mpeg”) or you can refer to all of the
members of the filetype (“Media”):
strip_all_exes: if (true) {
drop-attachments-by-filetype ('Executable', “Removed attachment:
$dropped_filename”);
}
In the following example, the same “executable” group of attachments (.exe, .dll, and .scr) are
stripped from messages whose Envelope Sender is not within the domain example.com.
strip_inbound_exes: if (mail-from != "@example\\.com$") {
}
drop-attachments-by-filetype ('Executable');
In the following example, a specific member of a file type (“wmf”) as well as a the same “executable”
group of attachments (.exe, .dll, and .scr) are stripped from messages whose Envelope Sender is not
within the domain example.com.
strip_inbound_exes_and_wmf: if (mail-from != "@example\\.com$") {
}
drop-attachments-by-filetype ('Executable');
drop-attachments-by-filetype ('x-wmf');
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
6-73