Spammers often use emails as a means to infect their victims. They do so by attaching files to their emails which, when opened, can install malicious software, steal personal information and/or hijack the user's computer. In order to protect our clients, our filters block certain types of files by default. The filters can also be personalized to block or accept the files you wish to receive.
This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters.
Administrators can manage user accounts under:
My Organization → Parameters → Inbound Filtering → Filtering Policy Groups → Filtering.
| IN THIS ARTICLE
|Files Blocked by Default|| Zipped Files
|Banned Categories|| Attachments Tab
Files Blocked by Default
All files considered executable are banned by default. This includes executables for Windows, Mac, Linux, and others. The following extensions are banned by default:
We also block files based on MIME type. The following MIME types are banned:
Other indicators are also used to detect executable files. File detection is done based on the specific extensions well as on file meta-data (in order to block files with renamed extensions).
What Happens to Emails with Banned Files?
Emails with banned files are quarantined and a Delivery Status Notification (DSN) is sent to the sender to inform them that their email was quarantined.
Administrators and individual users may browse these emails in the quarantine, where they are identified with the Banned File icon (see below). They may release these emails and administrators may also click Release and allow sender to add the sender to the "Banned files sender exceptions" list.
Are Zipped Files Blocked?
Zipped files are not inherently bad so our filters don't block them by default. These files are unzipped and the content is scanned to see if it matches any of the banned file rules. The zipped archives unzipped by our filters are:
Our filters are able to scan the contents of a zipped archive even if it is password protected. Password protection blocks execution of the contents, but not viewing. On the other hand, if the archive contains several levels or even several archives, our filters will not be able to consult the contents of those folders or archives. For this reason, we recommend activating the Banned Category Password protected zip archives.
Banned Categories Descriptions
Here follows a short description of the different Banned Categories and what they represent.
(italic categories are active by default).
|Windows executables||All Windows executable file types|
|Mac OS executables||All MacOS executable file types|
|Linux executables||All Linux executable file types|
|Other executables||Files that are not meant to be executable, but that could be (eg.: .js)|
| Microsoft Office Dangerous Macros
||Any Microsoft Office document containing macros that auto-execute and that write to system memory and/or execute arbitrary code|
| Pre-2007 Microsoft Office macros
| Microsoft Office 2007+ Macros
|Microsoft Office Mismatch Macro version||All cases where the file extension and MIME type declarations do not match up|
|Password protected zip archives|| All password-protected
A Note About Microsoft Office Macros
Microsoft Office files containing macros are a popular infection vector long-since used by spammers. While these documents can come in many shapes and forms, some are more dangerous than others. The most dangerous files are auto-executable and also either write to system memory or execute something outside of their own context. The Content Category Microsoft Office Dangerous Macros looks to block these dangerous files.
Due to the danger represented by these files, Microsoft Office Dangerous Macros is activated by default. It is not recommended to uncheck this category. You may add specific trusted senders to the "Banned files sender exceptions" list on a case-by-case basis.
You may also block other types of macros based on the type (pre-2007 or post-2007) by using the appropriate Banned Category.
This tab contains all filtering parameters relating to banned file verifications. You are able to either add to the "Allowed/Blocked attachment extensions" entries relating to files attached to messages.
Adding a "Allowed attachement extensions" list entry will override verifications done on that type of content (or on attached files from a specific sender if using the "Banned files sender exceptions" list). The message might still be blocked due to other verifications, however.
Adding a "Blocked attachement extensions" list entry will put the message in the quarantine. Depending on the rest of the content filtering analysis, our filters may return a Delivery Status Notification (DSN). See the Related Articles for more information on DSNs.
|LIST NAME||ACCEPTED VALUES||DISABLES MOST FILTERING CHECKS||DISABLES BANNED FILE CHECKS||DISABLES SPF/DKIM/DMARC CHECKS||DISABLES ANTIVIRUS CHECKS|
|Allowed attachment extensions||File Extension||✖||✔️||✖||✖|
|Blocked attachment extensions||File Extension||Messages are quarantined and a DSN may be returned to the sender (see Related Articles for DSN example)|
|Banned files sender exceptions||Address||✖||✔️||✖||✖|
|Allowed attachment MIME types||MIME Type||✖||✔️||✖||✖|
|Blocked attachment MIME types||MIME Type||Messages are quarantined and a DSN may be returned to the sender (see Related Articles for DSN example)|
In the event of a discrepancy, the "Allowed" lists have precedence over the "Blocked" lists.
File Extension Format Examples
Entries to those lists should only be the characters identifying the extension. There is no need to add "wildcard" characters (*) or to preface the extension with a period (.).