Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 5038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Attachments blocked by different extension

InformaticaOostkamp
Hi

Most of the time when users try to send out mails with Powerpoint attachments (.pptx) the mails are being blocked because of file extension ".tmp".


Quarantaine view:



Message view of a blocked mail:



The file was just a regular pptx file, and is mentioned as such in the message view, yet the antivirus recognized it as being a tmp file. Also, I used "most of the time" because when the problem was first mentioned to me, I tried sending a pptx file and that worked, so it's not a flat block of all pptx files. I also asked a user to forward me the mail with attachment (internally) and then tried forwarding this to an external address and it got blocked 4 out of 5 times so 1 actually went through.

Any ideas what might cause this behaviour? Something to do with the contents of the pptx file maybe? But then why doesn't it block 100% of the time for the same file?

Thanks in advance!


This thread was automatically locked due to age.
  • 0
    What does the SMTP proxy log say?
    How is your extension block list configured (screenshot)?

    ----------
    Sophos user, admin and reseller.
    Private Setup:

    • XG: HPE DL20 Gen9 (Core i3-7300, 8GB RAM, 120GB SSD) | XG 18.0 (Home License) with: Web Protection, Site-to-Site-VPN (IPSec, RED-Tunnel), Remote Access (SSL, HTML5)
    • UTM: 2 vCPUs, 2GB RAM, 50GB vHDD, 2 vNICs on vServer (KVM) | UTM 9.7 (Home License) with: Email Protection, Webserver Protection, RED-Tunnel (server)
  • 0
    SMTP log:

    2015:05:29-14:57:00 sophos-2 smtpd[6935]: SCANNER[6935]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="*** from="***" to="***" subject="test 1" queueid="1YyJqO-0001nr-6r" size="3699559" reason="ext" extra="tmp"
    2015:05:29-14:57:00 sophos-2 smtpd[6935]: SCANNER[6935]: 1YyJqJ-0001na-0s Sending 'Message delivery incomplete' notification to ***



    The block list is too long for a screenshot but this is an export of the list:

    7z;ace;ade;adp;app;asp;bas;bat;cab;cer;chm;cmd;com;cpl;crt;csh;der;exe;fxp;gadget;gz;hlp;hta;inf;ins;isp;its;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;plg;prf;prg;ps1;ps1xml;ps2;ps2xml;psc1;psc2;pst;rar;reg;scf;scr;sct;shb;shs;tar;tmp;url;vb;vbe;vbs;vbx;vsmacros;vsw;ws;wsc;wsf;wsh;xnk;zip
  • 0
    That looks like a bug, so please have your reseller submit a support request to Sophos.

    As a temporary work-around, you can create an Exception for 'Extension blocking' for mail originating from the IP of your server.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML