I first had to break down the filter list into many filter lists with the following command.
foreach ($a in (Get-FseFilterList -File -List
"BlockFiles").FileType){New-FSEFilterList -File -List $xyz -Item
"*" -Filetype $a}
If you are familiar with Forefront Protection for Exchange, you know that its powershell commands aren't that great, and the above command created a bit of a mess as all of the filter lists were disabled and none of the action and notification settings were default, which wasn't what I wanted so I had to click away in the graphical user interface a bit then disable the larger filter list.
Once all the filter lists were ready I resent the e-mail, and sure enough, it was blocked, but this time I knew that the attachment had GZIP file headers, because that is the filter list that the log flagged as quarantining the message. There was just one problem, there was nothing resembling a GZIP file attached to the message. The file that was causing the trouble was an image file with a .EMZ extension.
After a quick bing, I learned that a .EMZ file was a Microsoft Office image format known as Windows Compressed Enhanced Metafile which uses GZIP for compression. It is really a GZIP file, in fact, you can open it with a compression tool to extract the .EMF file, Enhanced Metafile, inside.
Mystery solved. Since the customer wants to allow .EMZ files, the filter list entry for the GZIP header was removed from the main filter list, but since they still wanted to block GZIP files, a new filter list was created to block GZIP files under their common file names.
1 comment:
WTH a quick "bing" more like "google".
Post a Comment