MozillaZine

Message filter for xlsm attachment not working

User Help for Mozilla Thunderbird
david835
 
Posts: 19
Joined: May 5th, 2014, 6:06 am

Post Posted October 26th, 2020, 9:49 am

I want to delete incoming email that has .xlsm (Excel macro) file attachments. This seems to be a favorite way to deliver malware.

I tried this:

Create new category (search category > Customize) for message header Content-Type

then

* Apply filter when: new mail, manually
* Match all following
* Content-Type contains application/octet-stream
* Content-Type contains .xlsm
* Perform actions: delete

but it doesn't do anything. ](*,)

The beginning of the attachment is as follows:

------_BLV--2UI2XgAtCRIaJblLQQsvI4ZFz2N0XEiTLNK0HITh8U
Content-Type: application/octet-stream; name="721248717_20201026.xlsm"
Content-Transfer-Encoding: base64

david835
 
Posts: 19
Joined: May 5th, 2014, 6:06 am

Post Posted October 26th, 2020, 9:56 am

I just found https://superuser.com/questions/756791/ ... rbird-24-5 , which claims that MIME information is not available when Thunderbird does its message filtering. Can this please be fixed? I'd like to be able to filter out messages with certain attachments, because they are malware.

tanstaafl
Moderator

User avatar
 
Posts: 47159
Joined: July 30th, 2003, 5:06 pm

Post Posted October 26th, 2020, 3:47 pm

AFAIK MIME information is still available when filtering if you configure Thunderbird correctly beforehand. I've used filters to test if a message has a PDF file attachment in the past for example. You need to enable filtering the body if you use a IMAP account, and also add custom headers for the desired headers. Thunderbird filtering only "knows" about a few headers by default.

http://kb.mozillazine.org/Message_Filte ... ssage_body
http://kb.mozillazine.org/Custom_headers

As an aside, if a message has a attachment with Content-Type: application/octet-stream that normally means the sender made a mistake that prevented the email message from identifying what type of file it is. You are supposed to look at the Content-Type: header, not the filename, to determine what type of file it is.

What many of those bug reports such as https://bugzilla.mozilla.org/show_bug.cgi?id=105169 are requesting is a high level solution that doesn't require the user to understand MIME headers or do any prep. Unfortunately thats not on anybodies radar. The engineering manager just announced the 90 +++ Roadmap and it is ambitious, but the closest it seems to have to what you want is "filtering to folders, autodetect lists and offer to set up". However, they are planning on rewriting all of the filter support in Javascript so you never know what unplanned extra features might occur as a side effect.

Return to Thunderbird Support


Who is online

Users browsing this forum: No registered users and 4 guests