{"id":778,"date":"2008-07-21T14:06:44","date_gmt":"2008-07-21T12:06:44","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/"},"modified":"2008-07-21T14:06:44","modified_gmt":"2008-07-21T12:06:44","slug":"free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/","title":{"rendered":"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent)"},"content":{"rendered":"

Keywords : microsoft exchange 2007 attachment size filtering quarantine block reject small zip files attached<\/span>
\nWhen messaging admins need to implement some sort of attachment filtering, they mostly think about antivirus products, or using transport rules in Exchange 2007.\u00a0 I have discovered that not a lot of antivirus products nor the Exchange 2007 built-in functionalities really allow a lot of flexibility when it comes down to filtering attachments based e.g. on attachment size.
\nSuppose you want to block individual zip files based on their size (e.g. block or quarantine zip files that are smaller than 60kb), then you will have a hard time doing this. While this may sound basic functionality, the reality is that not a lot of AV products can do this, or the products that can, are quite expensive.\u00a0 Most of the tools can take drop\/strip\/quarantine actions based on email size, but not on the individual attachment size.\u00a0 So if your policy states that you are not allowing zip files smaller than 60Kb, somebody could easily bypass this rule by sending 61 zip files of 1Kb...<\/p>\n

The tools that can perform this type of filtering may be too expensive for your budget.<\/p>\n

Big problem.\u00a0 Especially when you realize that some of the commercial tools have this feature available in earlier versions of Exchange, and Lotus Domino as well.\u00a0\u00a0 I had a call with the support center of one of these vendors 2 days ago, and they told me that they simply cannot implement this because of Exchange 2007...\u00a0 Can you imagine this ? Anyways, they\u2019ll probably fix it in the future, but I need the attachment filter today. Period.<\/p>\n

Anyways...\u00a0 to prove that they are wrong - no really, to fix my own problem (and perhaps your problem), for free, I decided to write my own Transport Agent for Exchange 2007.<\/p>\n

I wrote this tool over the weekend, so I have not been able to fully stress-test it, but it works just fine in my environment.<\/p>\n

Update \u2013 April 2009 \u2013 The attachment filter works fine on Exchange 2010 as well.<\/span><\/em><\/strong><\/p>\n

The tool consists of the following 4 major components :<\/p>\n

A. 2 mandatory dll's and 1 optional dll<\/strong><\/span><\/p>\n

Mandatory :<\/em>
\n- PVEExchAttachFilterTptAgent.dll : this is the transport agent that will take care of the attachment filtering.\u00a0 Every email that is processed by this dll will be stamped by a custom header entry called \"X-PVEExchAttachFilter\".\u00a0 Emails that already contain this header will not be processed by the Transport Agent. This ensures that we will be able to release emails from quarantine later on.\u00a0\u00a0 Of course, this also introduces a security risk. After all, if someone decides to craft a custom email from the internet to your network, already containing this header, that email would not get processed.\u00a0 That is why I have written another transport agent called \"PVEExchAttachFilterTptAgentCleanEdge\" (see later). You can put that second Agent on your Edge servers. This agent will simply remove the X-PVEExchAttachFilter from all emails.
\n- chilkatDotNet2.dll : this is the helper dll that will allow me to send emails etc<\/p>\n

These 2 dll's should be placed on the HUB server.<\/p><\/blockquote>\n

Optional :<\/em>
\n*\u00a0 PVEExchAttachFilterTptAgentCleanEdge.dll : this is the dll that will remove the custom X-header from all emails, and will stamp a new header called \"X-PVEExchStrippedAttachFilterHeader\" which is not used, but can be used by you in order to verify that the message has been processed by the agent.<\/p>\n

This dll should NOT be placed on the HUB server.\u00a0 This dll is only useful if you are using dedicated Edge servers.\u00a0\u00a0 If you are using a third party internet smtp relay, you should investigate whether you can implement Header entry removal on this relay.<\/p>\n

This dll does not require any configurations or rules. It only removes the header and that's it.<\/p><\/blockquote>\n

B. Attachment Filter Quarantine Management tool<\/span><\/strong><\/p>\n

PVEExchAttachFilterQuarantineManager.exe
\nThis standalone tool must be placed on every HUB server that has the Transport Agent.<\/p>\n

C. a set of folders and permissions on these folders(see later)<\/span> <\/strong><\/p>\n

D. configuration files (see later)<\/strong><\/p>\n

<\/strong><\/p>\n

<\/strong><\/p>\n

Before you can start to use the tool, your have to set up your environment.\u00a0 The following steps and the sequence of these steps are very important, so follow the guidelines carefully !<\/em><\/p>\n

1. Create the folder structure<\/h4>\n

Start with creating the following folder structure on your HUB server :<\/p>\n

\n
C:\\PVEAttachFilterAgent\nC:\\PVEAttachFilterAgent\\Log\nC:\\PVEAttachFilterAgent\\Bin\nC:\\PVEAttachFilterAgent\\Rules\nC:\\PVEAttachFilterAgent\\Config<\/pre>\n<\/div>\n
This drive and folder structure are currently hardcoded in the application. I may change this in the future, but until that happens, you must adhere to this convention.<\/p>\n
In addition to these folders, you must create another folder that will host the quarantined messages.\u00a0 This folder can be put anywhere on the system and can have any name. Let's assume that you will put the quarantine folder on drive D: and call it\u00a0 \"PVEAttachFilterQuarantine\"<\/p>\n
\n
D:\\PVEAttachFilterQuarantine<\/pre>\n<\/div>\n
2. Copy binaries and create configuration files<\/h4>\n
The rar file linked to this blog post contains the folder structure as indicated above. (You can download the file via the link at the bottom of this blog post).\u00a0 The \\bin folder contains 3 dll's and one exe file. You must put the following 3 files in the \\Bin folder :<\/p>\n
\"image\"<\/a><\/p>\n
The PVEExchAttachFilterTptAgentCleanEdge.dll should not be placed on the HUB server. This file must be placed on the Edge server.\u00a0 It is recommended to create a similar directory structure on your Edge servers and put the PVEExchAttachFilterTptAgentCleanEdge.dll file in the \\bin folder also.<\/p>\n
The rar file also contains a config folder.\u00a0 Extract the contents of this folder in the \/config folder.<\/p>\n
The folder should look like this :<\/p>\n
\"image\"<\/a><\/p>\n
The log and rules folders should be empty at this point. (They must exist though)<\/p>\n
The D:\\PVEAttachFilterQuarantine folder should be empty too at this point.<\/p>\n
Note : these files are template files.\u00a0 If you are updating the tool to a newer version, do NOT extract\/overwrite your own files with these files from the rar file. Otherwise, you will overwrite your own settings & templates with the default settings.\u00a0 All you need to do when updating is copying the new dll and exe files.<\/p>\n
3. Set Permissions<\/h4>\n
Before configuring the options and rules, you will have to set some permissions on the folder structures.<\/p>\n
The MS Exchange Transport service runs as \"Network Service\".\u00a0 Because we will plug the TransportAgent into the MSExchangeTransport engine, \"Network Service\" needs to have full access to the folder structures.<\/p>\n
Edit the security permissions for the C:\\PVEAttachFilterAgent folder and add Network Service, granting Full Control on this folder, all subfolders and all objects in the folders & subfolders.<\/p>\n
Do the same with the D:\\PVEAttachFilterQuarantine folder<\/p>\n
Before going on, verify that your folder structure is correct. Do not try to change your folderstructure, as this may break the application.<\/p>\n
4. Configuration (only applies to the HUB server \/ tpt agent)<\/h4>\n
4.1. Global Options<\/h5>\n
In the C:\\PVEAttachFilterAgent\\Config folder, open the file options.cfg<\/p>\n
This file has 2 options :<\/p>\n
\n
quarantinefolder=D:\\PVEAttachFilterQuarantine\nverboselogging=false<\/pre>\n<\/div>\n
Change the quarantinefolder setting if you have created the Quarantine folder elsewhere.<\/p>\n
Change verboselogging to true if you want to create log files.\u00a0 There will be one log file per week.\u00a0 Logfiles older than 6 months old should get deleted automatically.<\/p>\n
4.2. Notification options<\/h5>\n
In the same folder, open the notification.cfg file<\/p>\n
\n
;\n;\n;\nquarantine_notifyinternalsender=true\nquarantine_notifyinternalrecipient=true\nquarantine_notifyexternalsender=true\nquarantine_notifyexternalrecipient=true\nquarantine_notifyadmin=true\n;\nblock_notifyinternalsender=true\nblock_notifyinternalrecipient=true\nblock_notifyexternalsender=true\nblock_notifyexternalrecipient=true\nblock_notifyadmin=true\n;\n;\n;\nquarantine_subject=[Warning] Attachment filter has quarantined a message\nblock_subject=[Warning] Attachment filter has permanently removed a message\nstamp_subject=[Information] This email may contain dangerous attachment(s)\n;\n;\nnotifemail=do_not_reply@mydomain.com\nadmin=postmaster@mydomain.com\nsmtpserver=localhost\nsmtpport=25\n;\n;\ninternaldomains=mydomain.com,seconddomain.com<\/pre>\n<\/div>\n
Change the email addresses and internaldomains according to your environment. It is important to specify the internal domains, as this is a requirement for the tool in order to be able to distinguish internal and external senders and recipients.\u00a0 So if you have not defined internaldomains, the notification of external\/internal senders and recipients will not work.<\/p>\n
As you can see in this config file, the attachment filter has 3 actions :<\/p>\n
- stamp : which will just add some text to the subject of an email<\/p>\n
- quarantine : which will put the entire email in the quarantine folder (eml format) and remove the message from the queue<\/p>\n
- block : which will delete the mail from the queue.<\/p>\n
You will need these 3 action keywords when we start defining rules<\/p>\n
If you want to use the local HUB server to send the notification emails, make sure it accepts non-encrypted, anonymous connections for the local server. Otherwise, notification emails or quarantine releases won't work.<\/p>\n
4.3. Notification email templates<\/h5>\n
The config folder also contains some text files.\u00a0 The filename of these files are hardcoded in the application, so don't change them.<\/p>\n
These text files contain the body templates (html format) for the notification emails.\u00a0 You can use any html text in this file. The application will only stamp <html><body> at the top, and <\/body><\/html> at the bottom, so don't specify these tags yourself !<\/p>\n
Edit the files to change the text and email addresses.\u00a0 You may notice that the template contains some variables, which will be converted to live data when a notification email is sent.<\/p>\n
Make sure to keep the variable names in lower case<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Variable name<\/span><\/td>\nContent<\/span><\/td>\n<\/tr>\n
%from<\/span><\/td>\nOriginating sender of the email<\/span><\/td>\n<\/tr>\n
%to<\/span><\/td>\nComma separated list of recipients<\/span><\/td>\n<\/tr>\n
%subject<\/span><\/td>\nSubject of the email<\/span><\/td>\n<\/tr>\n
%timestamp<\/span><\/td>\nDate\/Time of the email<\/span><\/td>\n<\/tr>\n
%attachments<\/span><\/td>\nList of all attachments<\/span><\/td>\n<\/tr>\n
%violatingattachments<\/span><\/td>\nList of attachments that violated a filtering rule<\/span><\/td>\n<\/tr>\n
%policy<\/span><\/td>\nDescription of the filtering rule<\/span><\/td>\n<\/tr>\n
%guid<\/span><\/td>\nUnique ID - this corresponds to quarantined emails and will help the admin to find back the quarantined message<\/span><\/td>\n<\/tr>\n
%hostname<\/span><\/td>\nname of the server<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
4.4. Rules<\/h5>\n
Now we are ready to create rules and actions.\u00a0 These rules are text files that should be stored in the \\rules folder, and should have extension .rule<\/p>\n
Example rule file : (make sure to put the description text on one line)<\/p>\n
\n
description=It is not allowed to send small (less than 60Kb) compressed \n\n        files through the messaging system.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Small files shoud not be compressed. A lot of viruses use small \n\n        compressed files as a distribution mechanism.\n\nfilename=\nextension=zip,rar,tar,gz,ace,arj\nminsize=0\nmaxsize=61440\naction=quarantine\nexceptionfrom=peter.ve@telenet.be,peter.ve@corelan.be\nexceptionto=<\/pre>\n<\/div>\n
description <\/strong>: this is a description of the rule. If you use the %policy variable in the notification templates, this is the text that will be displayed. Keep in mind - if you are using the %policy variable, this text will be part of the html body. So try to avoid using html tags in this text (such as <, > etc).\u00a0 If you still want to use those tags, make sure to URL encode them (&gt; instead of >\u00a0\u00a0 &lt; instead of <\u00a0\u00a0 etc). Just make sure to keep everyting on one line.<\/p>\n
filename<\/strong> : this indicates the filename of part of the filename to trigger a rule. If you don't care about the filename, leave this empty.<\/p>\n
If you specify both a description and a filename, both parameters need to match in order to trigger the rule\u00a0 (AND operation).\u00a0 If you want to set up \"OR\" rule, you need to create multiple rules.<\/span><\/em><\/p><\/blockquote>\n
extension <\/strong>: this is the list of attachments to filter on.\u00a0 If one of the attachment extensions matches with one of these extensions, the rule will kick in<\/p>\n
minsize <\/strong>and maxsize <\/strong>can be used to look at specific sizes.\u00a0 You can set the minsize or maxsize to -1 if you don't want to use one of the two sizes.<\/p>\n
Examples :<\/p>\n
attachments < 60kb\u00a0 ->\u00a0 minsize=0\u00a0\u00a0 maxsize=61440<\/p>\n
attachments between 10kb and 40kb ->\u00a0 minsize=10240\u00a0\u00a0 maxsize=40960<\/p>\n
attachments larger than 500kb\u00a0 -> minsize =512000\u00a0 maxsize=-1<\/p>\n
action <\/strong>: this can be stamp, block or quarantine<\/p>\n
exceptionfrom <\/strong>: apply the rule, except when it is coming from one of these email addresses<\/p>\n
exceptionto <\/strong>: apply the rule, except when it is going to one of these email addresses<\/p>\n
Note : keep the fields and keywords in lower case !<\/p>\n
You can create multiple rules. If multiple rules apply to the same attachment, the strongest one will win.\u00a0 So if you have a rule that puts something in quarantine, and another rule that will block an email, and both rules apply to the same attachment, then the rule that blocks the email will win.<\/p>\n
Note : do NOT ever change config\/notification\/... or any other files while the agent is running. Stop the MSExchangeTransport service, make your changes, and start the service again. This is very important !<\/span><\/strong><\/p>\n
5. Install the agent<\/h4>\n
5.1. Installing the HUB server agent<\/h5>\n
Open Exchange Management Shell (Powershell) and run the following command :<\/p>\n
\n
install-transportagent -Name \"PVE Attachment Filter\"\n\n-TransportAgentFactory \n\n   \"PVEExchAttachFilterTptAgents.PVEExchAttachFilterTptAgentFactory\" \n\n-AssemblyPath \n\n   \"C:\\PVEAttachFilterAgent\\Bin\\PVEExchAttachFilterTptAgent.dll\"<\/pre>\n<\/div>\n
Close the Exchange Management Shell and open the Shell again. This is important. If you don't close the shell and open it again, the dll will stay locked and the installation procedure will fail<\/p>\n
Run the following command to enable the agent :<\/p>\n
\n
enable-transportagent -Id \"PVE Attachment Filter\"<\/pre>\n<\/div>\n
Restart MSExchange Transport service :<\/p>\n
\n
restart-service MSExchangeTransport<\/pre>\n<\/div>\n
Close the Exchange Management Shell and open event viewer.<\/p>\n
Make sure the service has started and does not throw any errors in the event log.\u00a0 If you see errors, make sure to verify the path structure, the permissions on all files and folders, and the contents of the configuration files.<\/p>\n
You can verify that the agent is installed and enabled by running the \"get-transportagent\" cmdlet in EMS<\/p>\n
5.2. Installing the \"Header Cleaning\" agent on the Edge server (optional)<\/h5>\n
Open Exchange Management Shell (Powershell) and run the following command :<\/p>\n
\n
install-transportagent -Name \"PVE Attachment Filter Header Cleaning\" \n\n-TransportAgentFactory \n\n        \"PVEExchAttachFilterTptAgentCleanEdge.PVEExchAttachFilterTptAgentCleanEdgeFactory\" \n\n-AssemblyPath \n\n       \"C:\\PVEAttachFilterAgent\\Bin\\PVEExchAttachFilterTptAgentCleanEdge.dll\"<\/pre>\n<\/div>\n
Close the Exchange Management Shell and open the Shell again. This is important. If you don't close the shell and open it again, the dll will stay locked and the installation procedure will fail<\/p>\n
Run the following command to enable the agent :<\/p>\n
\n
enable-transportagent -Id \"PVE Attachment Filter Header Cleaning\"<\/pre>\n<\/div>\n
Restart MSExchange Transport service :<\/p>\n
\n
restart-service MSExchangeTransport<\/pre>\n<\/div>\n
Close the Exchange Management Shell and open event viewer.<\/p>\n
Make sure the service has started and does not throw any errors in the event log.
\nYou can verify that the agent is installed and enabled by running the \"get-transportagent\" cmdlet in EMS<\/p>\n
6. Test and manage<\/h4>\n
You can now start sending emails and see if your filter rules work.
\nTest case : I have created a rule that will block small zip files. The rule file looks like this :<\/p>\n
\n
description=It is not allowed to send small (less than 60Kb) \n\n           compressed files through the messaging system.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Small files shoud not be compressed. A lot of viruses \n\n           use small compressed files as a distribution mechanism.\n\nfilename=\nextension=zip,rar,tar,gz,ace,arj,gzip,lzh,z_i_p,zip.renamed,rar.renamed,r_a_r\nminsize=0\nmaxsize=61440\naction=quarantine\nexceptionfrom=\nexceptionto=<\/pre>\n<\/div>\n
I have defined the notification config to notify the internal sender, and the administrator.\u00a0 My email account is also set as the admin email account, so I should get 2 emails when I sent out an email with an attachment that violates this rule.<\/p>\n
(Don't just copy & paste the contents of my rule file. You need to make sure the description is on 1 line only)<\/p>\n
Only a few seconds after sending my email, I received 2 emails : One to the internal sender, and one to the administrator<\/p>\n
\"image\"<\/a><\/p>\n
If a user forwards a Attachment filter message, asking to release this message, this is what needs to be done :<\/p>\n
First of all, because I have included the %guid variable in the notification template, I now can easily find back this email in the quarantine manager so I can release it. If you have not included this %guid variable in the email, you can still find back the email based on From:, To:, Subject: and Timestamp: fields<\/p>\n
On the server, open the \\bin folder, and launch the quarantine Manager. Either specify the guid in the Unique ID field, or just press the Load\/Refresh button (assuming that the Quarantine path is set correctly) and you should see the quarantined email.<\/p>\n
\"image\"<\/a><\/p>\n
If you doubleclick the email (or right-click and choose 'Quarantined email details', you will be able to see the email headers and the list of attachments<\/p>\n
\"image\"<\/a><\/p>\n
You can release the email, or - if the list with attachments is displayed, you can drop attachments from the list or save attachments to disk. Keep in mind, if you drop attachments from a signed or encrypted email, the signature\/encryption will be broken, and the email may become unusable...<\/p>\n
\"image\"<\/a><\/p>\n
When you release the email, the email will not being stopped again by the Transport Agent.<\/p>\n
Note : winmail.dat attachments are supported starting from v1.0.0.24, however it is my recommendation to make sure users don't sent Rich Text formatted emails. You can try to limit winmail.dat problems by changing the TNEF message format for messages sent to remote domain in Exchange : TNEF Conversion Options<\/a><\/p>\n
\"image\"<\/a><\/p>\n
The following cmdlets will help you determing whether you have set up your environment correctly<\/p>\n
\n
Get-RemoteDomain | FT DomainName, TNEFEnabled\nGet-Mailcontact | FT Name, UseMAPIRichTextFormat\n\nGet-MailUser | FT Name, UseMAPIRichTextFormat<\/pre>\n<\/div>\n
Adiitionally, you can set Outlook Mail format options (globally and per email) to use HTML or plain text as the default as well.<\/p>\n
7. Download the files<\/h4>\n
You can download the files here :
\n[download id=60]60[\/download]<\/p>\n","protected":false},"excerpt":{"rendered":"
Keywords : microsoft exchange 2007 attachment size filtering quarantine block reject small zip files attached When messaging admins need to implement some sort of attachment filtering, they mostly think about antivirus products, or using transport rules in Exchange 2007.\u00a0 I have discovered that not a lot of antivirus products nor the Exchange 2007 built-in functionalities … Continue reading \"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent)\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[488,349,127],"tags":[509,484],"class_list":["post-778","post","type-post","status-publish","format-standard","hentry","category-corelan-free-tools","category-exchange","category-security","tag-exchange","tag-free-tool"],"yoast_head":"\nFree tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent) - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent) - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Keywords : microsoft exchange 2007 attachment size filtering quarantine block reject small zip files attached When messaging admins need to implement some sort of attachment filtering, they mostly think about antivirus products, or using transport rules in Exchange 2007.\u00a0 I have discovered that not a lot of antivirus products nor the Exchange 2007 built-in functionalities … Continue reading "Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent)"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2008-07-21T12:06:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/image-thumb16.png\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Free tool - Attachment filtering with Exchange 2007\\\/2010 (custom transport agent)\",\"datePublished\":\"2008-07-21T12:06:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/\"},\"wordCount\":2612,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/image-thumb16.png\",\"keywords\":[\"MS Exchange\",\"free tool\"],\"articleSection\":[\"Corelan Free Tools\",\"MS Exchange\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/\",\"name\":\"Free tool - Attachment filtering with Exchange 2007\\\/2010 (custom transport agent) - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/image-thumb16.png\",\"datePublished\":\"2008-07-21T12:06:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/image-thumb16.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2008\\\/09\\\/image-thumb16.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/07\\\/21\\\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Free tool – Attachment filtering with Exchange 2007\\\/2010 (custom transport agent)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent) - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/","og_locale":"en_US","og_type":"article","og_title":"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent) - Corelan | Exploit Development & Vulnerability Research","og_description":"Keywords : microsoft exchange 2007 attachment size filtering quarantine block reject small zip files attached When messaging admins need to implement some sort of attachment filtering, they mostly think about antivirus products, or using transport rules in Exchange 2007.\u00a0 I have discovered that not a lot of antivirus products nor the Exchange 2007 built-in functionalities … Continue reading \"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent)\"","og_url":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2008-07-21T12:06:44+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/image-thumb16.png","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent)","datePublished":"2008-07-21T12:06:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/"},"wordCount":2612,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/image-thumb16.png","keywords":["MS Exchange","free tool"],"articleSection":["Corelan Free Tools","MS Exchange","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/","url":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/","name":"Free tool - Attachment filtering with Exchange 2007\/2010 (custom transport agent) - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/image-thumb16.png","datePublished":"2008-07-21T12:06:44+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/image-thumb16.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2008\/09\/image-thumb16.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2008\/07\/21\/free-tool-attachment-filtering-with-exchange-2007-custom-transport-agent\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Free tool – Attachment filtering with Exchange 2007\/2010 (custom transport agent)"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":17497,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/778","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=778"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/778\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=778"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=778"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=778"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}