Thursday, 21 August 2014

Dealing with exchange and small zips containing viruses using transport rules

I have a number of client who often fall for the "Please pay this invoice. Open attached file" type of email. They get it, open it and are then infected with a virus.

A lot of these type of mails seem to slip through spam and AV services, therefore following a suggestion elsewhere I've created the below guide to filter out small attachments. The logic is that generally only larger files get zipped, so if its really small chances are it's a virus.

I understand that this is not always the case - some people zip to password protect and you could add a section to the rule to allow emails from certain addresses always through or certain file names etc. The below is a basic set of guides to follow to setup a filtering system that will move small zips/rars/whatever you want to a different location.

1: Start by making an email address for all the crud to go to - occasionally it may be legitimate and you may need to take a look at it.
2: I made a mail enabled public folder and gave access rights to certain people just in-case something sensitive ended up in there
3: Once made, it's time to head over to the exchange management console
4: Go to Organisation Configuration, Hub Transport and then Transport Rules
5: Create a new Transport Rule, I called mine as below (for when I forget what it was for!)
Name: Small Attachment Spam
Comment: Catches spam by looking for small attachments (ie zips) and moves them to an alternative email

6: Leave the Rule enabled and click next
7: From the list of conditions select "When any attachment file name matches text patterns" and tick it
8: From the same list, also select "When the size of any attachment is greater than or equal to limit"

Double check what you have ticked! If it doesn't work later its because you've most likely selected the wrong option here as there are a few named very similar things

9: Click on the first rule in the second section down (Where is says Apply rule to message when any attachment file matches"
10: In the list, enter your file extensions. I included the dot, so my list contains:
.zip
.exe
.scr
.rar

11: You should see the "and when the size of an attachment is greater than or equal to 0B" in the list below too - leave this set to 0.
12: Click next
13: Scroll down to near the bottom of the list and this time select "Redirect the message to addresses"
14: In the section underneath, click redirect message to addresses 
15: Add the address we created earlier. If you don't want to redirect it you can select a different option such as "Delete the message without notifying anyone".
16: Click next again
17: From the list select "Except with the size of any attachment is greater than or equal to limit"
18: From the lower half, click on except when the size of any attachment is greater than or equal to 0B
19:  Depending on the client this amount changes - if its someone who may send small zips I make it quite small. If its a client who never sends or receives zips then I'll set it as high as 100kb.
20: Click OK
21: Click Next and then Click New

That's it - your rule is now live on the system. This is just a basic example, you can add more to the rule and get it to do a number of other things but this should certainly be a good start.

Cheers