ESA Content Filters for Email Messages with Multiple Attachments

Available Languages

Updated:July 1, 2014
Document ID:117821

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how the negative content filter conditions work for email messages that contain multiple attachments on the Cisco Email Security Appliance (ESA).

Problem

You use a content filter that allows certain types of email attachments, while other types of attachments should be marked for quarantine. When an email message arrives that has multiple attachments, one that should be allowed and another that should be marked for quarantine, the filter identifies the entire message as allowed.

Here is the content filter that is used:

if attachment filename != (list of attachments), then quarantine

This condition and action functions as intended if the email message has a single attachment, but it does not function properly for messages that contain multiple, different attachments.

Example Scenario

These are the types of attachments that are allowed:

  • rar
  • pdf
  • jpg

All other attachments should be sent to quarantine, as specified by the filter condition and action.

Filter Condition

Here is the filter condition that is used:

if attachment filename != (rar|pdf|jpg)

Filter Action

Here is the filter action that is used:

quarantine

The expectation typically is that if the email message contains a pdf attachment and a txt attachment, then it should be quarantined due to the txt attachment because it is not in the list of allowed attachments. However, this content filter does not function as intended because it matches the pdf attachment in the message and directly permits it, even though it has a txt attachment.

Solution

It is not possible to quarantine the email with the txt attachment for these reasons:

  • The attachment conditions are for all of the attachments that are included in a message.
  • The negative != comparison verifies whether any of the attachments match.

As described, if any of the attachments are allowed, such as when they match the !=, then the entire message is treated as allowed. There is no way around this; it is simply the way that these conditions work.

The only other solution is to invert the logic and block specific attachments, not just any attachment that is not white-listed.

Revision History

Revision Publish Date Comments
1.0
01-Jul-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Enrico Werner
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products