Why are attachments not being dropped by the filetype filter on ESA?
PDF(4.8 KB) View with Adobe Reader on a variety of devices
Updated:August 20, 2014
Attachments not being dropped as expected and one of the following:
Message Filter is using drop-attachments-by-filetype. Content Filter is using Drop_Attachments_By_Filetype_Action.
The Drop Attachments by Filetype filter action examines attachments based on the fingerprint of the file, and not just the three-letter filename extension. There are a few reasons why this scan may not match on a file as expected.
This fingerprint scan will only be performed on attachments which are under the max scan size as set in scanconfig (from the CLI). If the attachment is an archive and the extracted content's total size is greater than the max scan size or exceeds the max scan depth, the fingerprint will not be checked on the individual files. Encoding a file for email transport generally results in a larger amount of data then when the file is saved on disk. Either of these last two items may explain why some attachments smaller than the max scan size are not being dropped.
There also may have been a scan error and it is possible that the detected MIME type is configured to be skipped. To find out the exact cause for a given message, search the mail logs using grep from the CLI. When you search on the MID, any scan issues will be reported on their own line. Here is an example:
Tue Aug 3 16:36:29 2004 Warning: MID 256, Message Scanning Problem: Continuation line seen before first header
There will also be a line that shows the overall message size in bytes, which will give you a rough idea of how large the encoded attachment is