Manage Attachment Restrictions

The Attachment restrictions page allows you to configure which email attachments to allow and which to block.

In the Domain Level Control Panel, select Incoming - Protection Settings > Attachment restrictions the Attachment restrictions page is displayed:

The following restrictions can be configured:

Restriction Description
Blocked Extensions

Messages that have an attachment with any of the selected extensions will be rejected.

You can add new extensions to those listed using the Add new extension feature.

Disallowed release extensions

Email users will not be allowed to release messages that contain attachments with the selected extensions.

You can add extensions to this list using the Add new extension feature.

Restriction options
  • Block password-protected archive attachments - If enabled, blocks messages with password protected attachments like zip files
  • Block potentially unwanted attachments - If enabled, rejects attachments on inbound messages only that are considered dangerous or unwanted. For example, compressed executable files (e.g. UPX packers), password tools, network tools, peer-to-peer clients, remote access applications, system tools, spying tools and documents containing scripts

    This restriction applies to Inbound messages only, to apply this restriction for Outbound mail, see Edit an Outgoing User/Authentication method.

  • Block Attachments Containing Hidden Executables at Domain Level - If enabled, ZIP, TAR, GZIP, BZIP2 and 7Z archives (other than those compressed with deflate64) are checked and the message will be rejected if the archive appears to contain an executable
  • Block attachments with macros - If enabled, then any message with a document based attachment (.doc, .xls, .ppt etc) that contains any kind of macro will be rejected
Additional restrictions

Message link size limit (in bytes) - This option restricts the amount of data that is downloaded per message. Links in messages to executable files that would be blocked as attachments are followed and the content is checked against an anti-virus database.

Maximum MIME defects - Messages that are sent with standard email clients have no defects, whereas spam messages are often generated with poorly developed software and have many defects. Normally we reject messages with defects but if you have a need to receive defective messages, you may set a limit or disable this check. If the defective messages come from a single sender, it would generally be better to either convince the sender to fix their software or allow that sender using Manage Incoming Sender Allow list.

Scanned link extensions

If the Message link size limit is set (above), then links in messages to files with the selected extensions will be scanned for viruses and other malware.

You can add extensions to this list using the Add new extension feature.

Default (inherited) Blocked Extensions Default (inherited) Scanned Link Extensions

.ade

.bat
.adp .btm
.bat .cmd
.btm .cpl
.chm

.dll

.cmd .exe
.com .lnk
.cpl .msi
.dll .pif
.docm .prf
.exe .reg
.hta .scr
.ins .url
.isp .vbs
.jar  
.js  
.jse  
.lib  
.lnk  
.mde  
.msc  
.msi  
.msp  
.mst  
.nsh  
.pif  
.prf  
.reg  
.scr  
.sct  
.shb  
.url  
.vb  
.vbe  
.vbs  
.vxd  
.wsc  
.wsf  
.wsh  

Block Specific Extension Types

You can also block messages based on their attachment type. You can add more attachment types to the list of default ones already set up in the system.

  1. In the Blocked extensions panel, place a tick in the checkbox alongside the extension type you want to block
  2. To add more extension types, use the Add new extensions field
  3. Click Save

Block Password-Protected Archive Attachments

Spammers often use the trick of sending password encrypted archives in the hope to bypass some filters, and saying the “password” in the body of the spam message. These messages can be blocked by enabling the “Block Password Protected Attachments” feature.

  1. In the Restriction Options panel, place a tick in the Block password-protected archive attachments checkbox
  2. Click Save

Block Attachments Containing Hidden Executables at Domain Level

To block dangerous attachments for a specific domain only:

  1. In the Restriction Options panel, place a tick in the Block attachments that contain hidden executables checkbox
  2. Click Save

Block Attachments with Macros

This option (which is disabled by default) allows you to reject all incoming emails received with document based attachments (.doc, .xls, .ppt etc) containing macros. This can be enabled per domain by:

  1. In the Restriction Options panel, place a tick in the Block attachments with macros checkbox
  2. Click Save

Enable Scanned Link Extensions

This option (which is disabled by default) allows you to configure your domain(s) to allow the download of files of a specific extension type from links within an email. The system scans the files for any viruses or malware.

  1. In the Additional Restrictions panel, enter 2000000 in the Message link size limit (in bytes) field
  2. In the Scanned Link Extensions panel, add the following extension types to the existing list using the Add new extensions field: zip, rar, jar, js, java, aspx, doc, docm, xls, xlsm
  3. Click Save

For redirect links (commonly seen in invoice related spam), an extra link-follow option is needed. This currently needs to be enabled by our Support team. If required, please contact our support team by raising a support ticket through N-AbleMe so that they can set this up for you.