Guest

Cisco Email Security Appliance

Replace a Stripped Attachment with a Text Message on the ESA

Document ID: 117867

Updated: Jul 01, 2014

Contributed by Scott Roeder and Enrico Werner, Cisco TAC Engineers.

   Print

Introduction

This document describes how to replace a stripped attachment with a text message on the Email Security Appliance (ESA).

Create a Message Filter

Many sites wish to give additional information when they strip attachments. You can do this with a message filter, which allows the inclusion of an optional comment field.

Here is an example message filter:

    StripInboundMP3s:
    if (recv-listener == "InboundMail") {
      drop-attachments-by-filetype ('mp3', 'Corporate policy disallows mp3
attachments.  Please contact the helpdesk at x411 for assistance in
transferring binary files.');
    }

You can create this message filter in the CLI with the filters command:

    smtp.example.com> filters

    Choose the operation you want to perform:
    - NEW - Create a new filter.
    - DELETE - Remove a filter.
    - IMPORT - Import a filter script from a file.
    - EXPORT - Export filters to a file
    - MOVE - Move a filter to a different position.
    - SET - Set a filter attribute.
    - LIST - List the filters.
    - DETAIL - Get detailed information on the filters.
    - LOGCONFIG - Configure log subscriptions used by filters.
    - ROLLOVERNOW - Roll over a filter log file.
    []> new

    Enter filter script.  Enter '.' on its own line to end.
    StripInboundMP3s:
    if (recv-listener == "InboundMail") {
      drop-attachments-by-filetype ('mp3', 'Corporate policy disallows mp3 attachments. 
Please contact the helpdesk at x411 for assistance in transferring binary files.');
    }
    .
    1 filters added.

    Choose the operation you want to perform:
    - NEW - Create a new filter.
    - DELETE - Remove a filter.
    - IMPORT - Import a filter script from a file.
    - EXPORT - Export filters to a file
    - MOVE - Move a filter to a different position.
    - SET - Set a filter attribute.
    - LIST - List the filters.
    - DETAIL - Get detailed information on the filters.
    - LOGCONFIG - Configure log subscriptions used by filters.
    - ROLLOVERNOW - Roll over a filter log file.
    []>

    smtp.example.com> commit

    Please enter some comments describing your changes:
    []> add StripInboundMP3s filter

    Changes committed: Wed Nov 24 18:32:03 2004 MST

You can also use message filter action variables in order to provide more information, such as the timestamp or sender.

Create a Notification Message

Another approach is to send a separate notification message that explains the policy. The advantages of this are that you can create a longer and more detailed message, and you can also send it to the sender, the recipient, or any other address you wish to notify.

In order to create a notification message, use the textconfig CLI command:

    smtp.example.com> textconfig

    Current Text Resources:
    1. Disclaimer (Message Footer)
    2. attach.size.notify (Notification Template)

    Choose the operation you want to perform:
    - NEW - Create a new text resource.
    - IMPORT - Import a text resource from a file.
    - EXPORT - Export text resource to a file.
    - PRINT - Display the content of a resource.
    - EDIT - Modify a resource.
    - DELETE - Remove a resource from the system.
    []> new

    What kind of text resource would you like to create?
    1. Message Footer
    2. Notification Template
    [1]> 2

    Please create a name for the notification template:
    []> mp3.strip.notify

    Enter the encoding for the notification template:
    1. US-ASCII
    2. Unicode (UTF-8)
    3. Unicode (UTF-16)
    4. Western European/Latin-1 (ISO 8859-1)
    5. Western European/Latin-1 (Windows CP1252)
    6. Traditional Chinese (Big 5)
    7. Simplified Chinese (GB 2312)
    8. Simplified Chinese (HZ GB 2312)
    9. Korean (ISO 2022-KR)
    10. Korean (KS-C-5601/EUC-KR)
    11. Japanese (Shift-JIS (X0123))
    12. Japanese (ISO-2022-JP)
    13. Japanese (EUC)
    [1]>

    Enter or paste the notification template here.  Enter '.' on a blank line to end.
    To whom it may concern:

    You have attempted to send an MP3 file to a corporate address.  It is against
    corporate policy to send or receive MP3 files, and the MP3 was stripped
    from the message you sent.  The other parts of the message were
    delivered to the recipient.

    If you have any problems or questions regarding this policy, please contact
    the Help Desk at x411 or 800-555-1212.

    Thank you for your attention to this matter.
    Corporate Management
    .

    Notification template "mp3.strip.notify" created.

    Current Text Resources:
    1. Disclaimer (Message Footer)
    2. attach.size.notify (Notification Template)
    3. mp3.strip.notify (Notification Template)

    Choose the operation you want to perform:
    - NEW - Create a new text resource.
    - IMPORT - Import a text resource from a file.
    - EXPORT - Export text resource to a file.
    - PRINT - Display the content of a resource.
    - EDIT - Modify a resource.
    - DELETE - Remove a resource from the system.
    []>

    smtp.example.com> commit

    Please enter some comments describing your changes:
    []> create mp3.strip.notify for notifications

    Changes committed: Wed Nov 24 18:52:32 2004 MST

The notify action sends a summary email of the message to the specified email address. The notification summary contains the contents of the envelope addresses, the message headers of the message, and the name of the message filter that matched the message. A message filter that uses this notify template resembles this:

    StripInboundMP3s:
    If (recv-listener == "InboundMail")
    AND (attachment-filetype == "mp3") {
      drop-attachments-by-filetype("mp3");
      notify("$EnvelopeSender,$EnvelopeRecipients", "[$FilterName] MP3s not allowed",
"$EnvelopeSender", "mp3.strip.notify");
    }

Note: The rules now check if the message has an mp3 attachment before stripping and sending a notification.

This notification message is sent to both the sender and the recipients, with the subject line [StripInboundMP3s] MP3s not allowed; it sets the return path, which defaults to Mail Delivery System MAILER-DAEMON@smtp.example.com, to the sender. The message has the mp3.strip.notify message plus the contents of the notification message noted previously.

Be cautious about notifying senders. Since the majority of email is spam, a message filter such as the one previoulsy described generates notifications to spam and virus senders that are typically undeliverable. The filter can also be created as a content filter. Content filters are applied after anti-spam and anti-virus have processed the message. It is much more reasonable to notify senders in a content filter than in a message filter, but only if you drop spam and virus attachments.

Updated: Jul 01, 2014
Document ID: 117867