Wednesday, April 24, 2013

E-Mail File Filtering, was that a GZIP file?

One of my customers had a problem, an e-mail was being blocked by their Microsoft Forefront Protection 2010 for Exchange Server file filter but they couldn't quite figure out why.  The e-mail's attachment did not seem to match any of the restricted file types, yet it was still being blocked.  To make matters worse, their file filter list included several file headers that would be blocked but the log only noted the filter list that blocked the file, not which filter list entry was triggering it.

I first had to break down the filter list into many filter lists with the following command.

foreach ($a in (Get-FseFilterList -File -List "BlockFiles").FileType){New-FSEFilterList -File -List $xyz -Item "*" -Filetype $a}

If you are familiar with Forefront Protection for Exchange, you know that its powershell commands aren't that great, and the above command created a bit of a mess as all of the filter lists were disabled and none of the action and notification settings were default, which wasn't what I wanted so I had to click away in the graphical user interface a bit then disable the larger filter list.

Once all the filter lists were ready I resent the e-mail, and sure enough, it was blocked, but this time I knew that the attachment had GZIP file headers, because that is the filter list that the log  flagged as quarantining the message.  There was just one problem, there was nothing resembling a GZIP file attached to the message.  The file that was causing the trouble was an image file with a .EMZ extension.

After a quick bing, I learned that a .EMZ file was a Microsoft Office image format known as Windows Compressed Enhanced Metafile which uses GZIP for compression.  It is really a GZIP file, in fact, you can open it with a compression tool to extract the .EMF file, Enhanced Metafile, inside.

Mystery solved.  Since the customer wants to allow .EMZ files, the filter list entry for the GZIP header was removed from the main filter list, but since they still wanted to block GZIP files, a new filter list was created to block GZIP files under their common file names.

1 comment:

Brian Geller said...

WTH a quick "bing" more like "google".