Cisco Cisco Email Security Appliance X1050 Troubleshooting Guide
Question:
Attachments not being dropped as expected and one of the following:
Message Filter is using drop−attachments−by−filetype.
Content Filter is using Drop_Attachments_By_Filetype_Action.
Content Filter is using Drop_Attachments_By_Filetype_Action.
The Drop Attachments by Filetype filter action examines attachments based on the fingerprint of the file, and
not just the three−letter filename extension. There are a few reasons why this scan may not match on a file as
expected.
not just the three−letter filename extension. There are a few reasons why this scan may not match on a file as
expected.
This fingerprint scan will only be performed on attachments which are under the max scan size as set in
scanconfig (from the CLI). If the attachment is an archive and the extracted content's total size is greater than
the max scan size or exceeds the max scan depth, the fingerprint will not be checked on the individual files.
Encoding a file for email transport generally results in a larger amount of data then when the file is saved on
disk. Either of these last two items may explain why some attachments smaller than the max scan size are not
being dropped.
scanconfig (from the CLI). If the attachment is an archive and the extracted content's total size is greater than
the max scan size or exceeds the max scan depth, the fingerprint will not be checked on the individual files.
Encoding a file for email transport generally results in a larger amount of data then when the file is saved on
disk. Either of these last two items may explain why some attachments smaller than the max scan size are not
being dropped.
There also may have been a scan error and it is possible that the detected MIME type is configured to be
skipped. To find out the exact cause for a given message, search the mail logs using grep from the CLI.
When you search on the MID, any scan issues will be reported on their own line. Here is an example:
skipped. To find out the exact cause for a given message, search the mail logs using grep from the CLI.
When you search on the MID, any scan issues will be reported on their own line. Here is an example:
Tue Aug 3 16:36:29 2004 Warning: MID 256, Message Scanning
Problem: Continuation line seen before first header
There will also be a line that shows the overall message size in bytes, which will give you a rough idea of how
large the encoded attachment is
large the encoded attachment is
Wed Jun 16 21:42:38 2004 Info: MID 200257070 ready 24663
bytes from <someone@example.com>
Updated: Aug 20, 2014
Document ID: 118312