Attachment blocking domain level vs user level
Question asked by Jay Altemoos - 12/27/2016 at 3:45 PM
Good afternoon everyone. What takes precedence, domain level vs user level. The reason I ask is because ZIP attachments with potential viruses are creeping through. My fear is that a user may open one of those and launch cryto-locker or some variant on their machine.
So what I wanted to do is block ZIP attachments on the domain level but setup a rule for a few users to allow ZIP attachments because they do occasionally need to get them from their customers / suppliers. So my question is this, if I block the ZIP attachment at the domain level and then setup a rule on the user level to allow the attachment, will the ZIP attachment be allowed to those users I specify? Or do I have to write a rule for each user and omit the select few I need to allow ZIP files for? Any ideas?

1 Reply

Reply to Thread
Jay Altemoos Replied
I figured out how to get this to work the way I wanted to this morning. So if anyone else needs this same type of scenario, here's how I handled it:
1. Navigate to Domain -> Filtering -> Content Filtering
2. Create a new rule for that domain
3. Specify "To specific addresses" and "Specific extension"
4. Click next and on the next page make sure "AND" is selected ( I also use the "enable wildcards" feature )
5. In the "To Address" box type in all the email addresses you want to have the file extension blocked for. Leave out the ones that need to get the file extension. ( Make sure the drop down box says "Matches")
6. In the "Attachments" box fill in the file extensions you want to block. ( Make sure the drop down box says "Matches")
7. Click next.
8. Name the rule you just created and select the appropriate handling of the message. ( In my case I chose "Delete Message")
9. Save the rule.
Now going forward any emails being delivered the the specified users and has the attachment you blocked will now be deleted. So in my case I wanted to block all zip attachments for the specified users and allow the zip attachments for the users I don't have in the list.
Looking over the rule set and testing on my side it appears the Domain rule set takes precedence and then looks down to the user level to see if there's any additional filtering that needs to be done. So blocking at the domain level would delete the email regardless what I specified on the user content filtering.

Reply to Thread