Attachement Filtering with Whitelist options
I have a few scenario's when I have Mailesentials to block zip files via the content filtering (attachement) option to avoid viruses and 0 day threats from entering the system. (more reliable than a/v scanning) On some occasions there may be emails with valid zip files attached that get quarantined due to this policy, this would have to be manually released and checked on occasions. With enabling the whitelist feature this has no impact on this filtering option. I would like to see a whitelist function feature for content filtering to enable a email/domain or IP to be trusted with the content filtering feature.
Thanks all for your feedback
I would like to ask some questions regarding the usage of Attachment filtering.
- Do you have Notify Local Recipient enabled? This way intended recipients are notified?
- Do you have Notify Local Administrator enabled? This way the administrator can receive an email and easily approve?
- Are such exclusions intended for specific recipients or external recipients? Eg you can already exclude internal recipients from rules.
- What type of attachments are these? Zip Files? Office Files? PDF files?
Jean Luc Le Doledec commented
IN an high ransomware risk period, I act like Stephen, I blocked .ZIP file, but like him, some are clean.
From my point of view, having a whitelist check before keyword and content filtering, is mandatory for a mail security software.
To avoid spoofing sender address, SPF or IP source whitelist can be a good complement
Tim Frodermann commented
My real live example are xlsm-Files. We blocked them because of the obvious security problems regarding Ransomware. But as it is, my customers receive valid xslm-Files on a daily basis.
There seem to be a lot of accounting and erp programs around that can only export reports as xslm-Files and that contain macros for some reasons unknown to me. Even amazon hands out xslm files for b2b customers.
So what happens is that people receive a lot of xslm-files, but mostyly from a handful of known senders. I could giive access to the quarantine, but again, normal users have no access to the malware quarantine, where these attachments end up.
So this is a catch 22: Give me normal user access to the malware quarantine or a attachment filtering sender whitelist :-)
Johnny Haak commented
If the e-mail passes first the Anti Spam Filters (including SPF) then whitelisting of external recipients/senders shouldn't be a problem.
Ken Dietz commented
I would argue that the same email spoofing claim could justify not offering an email whitelist as well, which would be catastrophic for organizations not to have that capability.
As the regular email whitelist is "use at your own risk" as email addresses can be spoofed and get through there as well, I think that the same would apply by allowing the whitelist (whether it's a separate attachment filtering list or the same email whitelist) to allow attachments through from whitelisted senders.
An example we've faced is that we get a lot of malicious Word Documents that make it through the standard set of filters, so I've had to instate a full block of all .DOC files at the Attachment Filtering level, meaning that the user does not get ANY Word Documents even from our trusted business partners (legal counsel, partner organizations) and also because they don't end up in their quarantine, they never know about the email at all, forcing me to routinely check the logs to see if anything has come in from these partners. A whitelist at this level would be a huge time saver.
The main reason why this has never been implemented is that email addresses can be easily be spoofed.
Any person can easily send an email pretending to be somebody else. Although there are ways to be able to determine if the email is legitimate or not, this does not depend on your configuration but on the sender's configuration eg SPF records, Domain Keys etc.
I do understand that organisations have business partners and they went to quickly receive communications from them easily without having quarantine issues etc. However if the business partner network or email system gets compromised, then this could potentially compromise your own system.
We will investigate how we can alleviate this problem.
Paul Jebe commented
I'd like to add my support to this request. I would be ok with having to maintain a separate whitelist for Content Filtering if that helps keep it more secure. As mentioned by other customers we like to block potentially harmful attachments (mainly zip and xls) but would like to receive them without hassle from a handful of trusted business partners.
Bob Walters commented
Notify local recipient would just make them call me therefore causing more work. Notify Admin, ditto, I have enough email to deal with already.
I have to keep an the on the quarantine constantly as my client receives time critical tender requests via macro enabled Office documents. Also some .zip files. It needs to be whitelisted by sender or senders domain. This is pretty urgent and I am surprised that it has not been requested a long time ago by a lot of people.
Peter Huber commented
We urgently need exceptions for attachment-filtering. We couldn't afford to loose customer-orders because of a missing whitelist-option. Excluding some external email addresses from filtering is better than disabling the filtering at all.
Matthew Pulis commented
Yes. I spoke with Andrea this morning and the feature that many are looking for is to have the possibility of a whitelist for external users.
Having said that, one needs be aware that even a person you trust may get infected and sends you an infected file, but this request has nevertheless been popular throughout the years.
AdminJoe Kern (Admin, GFI) commented
Just to understand the issue. While MailEssentials will allow for control and policies for attachment filtering based on internal email addresses, you would like to it to also apply to external email addresses.
*@* = block all zip files
Joe@yourcompany. = allow zip files to be recieved only to him
jane@customercompany = zip files from jane to all "@yourcompany" is allowed
In this example what is missing that you are looking for is the Jane scenario.
Andrea Rosetti commented
Noi attualmente usiamo Groupshield di McAfee e vorremmo abbandonarlo,
ma lui ha la possibilità di filtrare una whitelist di mittenti esterni per i quali accettare gli allegati .
Senza whitelist non è possibile usare l'attachment filtering.
Chiedo se possibile inserirlo anche in GFI
Mark Fletcher commented
I have exactly the same issue as Stephen. How anyone imagined a commercial organisation can be expected to run attachment filtering for .zip files without a whitelist option. Perhaps the GFi developers need to have a day out in the real world hahahaha.
Sal LaDuca commented
I agree I want to block rouge zip files but my customers use zip files all the time form legitimate senders.