Cisco Cisco Email Security Appliance X1070 Troubleshooting Guide
ESA Message Filter Action Descriptions
Document ID: 117857
Contributed by Tomki Camp and Enrico Werner, Cisco TAC Engineers.
Jun 26, 2014
Jun 26, 2014
Contents
Introduction
Message Filter Action Overview
Message Filter Action Descriptions
Message Filter Action Overview
Message Filter Action Descriptions
Introduction
This document describes the differences between the drop−attachments−by−name, −type, −filetype, and
−mimetype message filter actions on the Cisco Email Security Appliance (ESA).
−mimetype message filter actions on the Cisco Email Security Appliance (ESA).
Message Filter Action Overview
Messages that are sent using MIME can have labels assigned to various body parts, which are often called
attachments. These labels can (and do) conflict with each other in the information they provide. In addition, a
body part might have its own characteristics. For example, a user might take a JPEG image, attach it to a mail
message, give it a MIME type of text/html, and mark it with a MIME filename of jan.mp3. All of these labels
conflict with the reality of what the attachment is.
attachments. These labels can (and do) conflict with each other in the information they provide. In addition, a
body part might have its own characteristics. For example, a user might take a JPEG image, attach it to a mail
message, give it a MIME type of text/html, and mark it with a MIME filename of jan.mp3. All of these labels
conflict with the reality of what the attachment is.
For example, consider this message header:
Boundary_(ID_n6BU1raweF+4UwCeweFmVQ)
Content−type: application/msword; name="eval form.doc"
Content−transfer−encoding: BASE64
Content−disposition: attachment; filename="eval form.doc"
Content−description: eval form.doc
In this case, the MIME filenames and MIME types are all consistent and might or might not match the actual
format of the body part (attachment). However, in this header, there are inconsistencies:
format of the body part (attachment). However, in this header, there are inconsistencies:
Boundary_(ID_n6BU1raweF+4UwCeweFmVQ)
Content−type: image/jpeg; name="eval form.doc"
Content−transfer−encoding: BASE64
Content−disposition: attachment; filename="evaluation.zip"
Content−description: These are the latest warez, d00d.
For well−formed messages, implementing policy is fairly easy. But in the case of someone either intentionally
or unintentionally trying to bypass policy, additional flexibility is required.
or unintentionally trying to bypass policy, additional flexibility is required.
Network managers often want to drop attachments of a particular type, such as all MP3 files. However,
implementing this policy means that you have to decide which of the labels you want to pay attention to (if
any of them). AsyncOS gives you the flexibility to look at the MIME type (such as text/html), the MIME
filename (such as jan.mp3), and to actually fingerprint the attachment in order to try and determine what the
true format is. When implementing your policy using message filters or content filters, you might want to use
one or more of these labels.
implementing this policy means that you have to decide which of the labels you want to pay attention to (if
any of them). AsyncOS gives you the flexibility to look at the MIME type (such as text/html), the MIME
filename (such as jan.mp3), and to actually fingerprint the attachment in order to try and determine what the
true format is. When implementing your policy using message filters or content filters, you might want to use
one or more of these labels.