Carbonwind.net
Forefront TMG
ISA Server
Vyatta OFR
VPN
Virtualization
Firewalls
Cisco
Miscellaneous
Wireless

 07.02.2011
Application Control with Forefront TMG 2010 - Block Attachment Downloads from Webmail(Yahoo, Gmail, Hotmail)


In the next lines we will provide a signature for TMG's HTTP filter usable for blocking attachment downloads from webmail services(like Yahoo, Gmail, Hotmail), services accessed through a browser.
The HTTPS Inspection feature of Forefront TMG 2010 must be enabled and configured.
We are asuming the users do not use some proxies to tunnel their traffic(you can prohibit that with TMG's URL Filtering feature) and that an access rule allowing users access to only HTTP/HTTPS is in place(so that tunneling over SSH or so to be denied).

A (single) general signature can be used for the three popular webmail services(Yahoo, Gmail, Hotmail), see Figure1, Figure2 and Figure3.
From these images we can notice what they share in common: the server's HTTP response includes the Content-Disposition header containing the "attachment" value.


Figure1: Yahoo webmail browser request and server response for attachment download


Figure2: Gmail webmail browser request and server response for attachment download


Figure3: Hotmail webmail browser request and server response for attachment download

Note that, for example, we can customize a signature for each webmail service to block the browser's request(perhaps into another article).

Using TMG's HTTP filter to block a HTTP response containing such a header, see Figure4:


Figure4: TMG's HTTP filter signature to block webmail attachment download

To limit possible false positives(some other sites downloads might get blocked or so), you can limit the destinations(see Figure5, a domain name set was created with the names needed; alternatively you can use TMG's URL Filtering categories) and/or to which users the signature applies.


Figure5: Limit the domains to which the rule applies

Note that, for example, inline images added within an email from Yahoo mail will not be blocked by the above signature. It may be possible to block such images too, say if an user has set to not show remote images from remote locations by default and clicks the show button, we can have to have TMG's HTTP filter to block this request.