What to do if Barracuda Anti-Spam is Blocking Office 2007 Attachments?

I support several Barracuda Anti-Spam servers and have been very happy with them.

However, one annoying problem has crept up since Office 2007 was released. Since Office 2007 uses zip compression to embed information in document files, my zip blocking was blocking otherwise legitimate attachments from passing through the filter.

The fix was simple enough...

On the page that controls attachment blocking [Block/Accept] [Attachment Filtering], you can enter which types of attachments you want to block (exe, bat, lnk, etc.).

I had gotten in the habit of adding 'zip' to the list of blocked attachments (zip files files can carry all sorts of nasty payloads) back when I started using the Barracuda about 5? years ago. This was before Office 2007 became popular.

It turns out that Office 2007 files (docx, pptx, xlsx, etc.) contained compression technology and they end up getting blocked. Over the last few years, I've gotten pretty tired of explaining to people that they can't send compressed files, even though they are just Office files, and that they had to ask the sending user to save the files in a compatible Office 2003 format. Of course, most users don't understand this and still want the files to pass through, regardless of any security implications. I was unwilling to back down and allow zip files to pass through.

Well, I happen to be doing something else when I landed on this particular configuration page and read the fine print (help text) for the "Blocked Attachment File Extensions:" option on the Barracuda:

Use the file extension preceded by a period (example: .exe) to block emails with attachments with that file extension. Use ONLY the file extension without a period (example: exe) to block attachments of that file type. In this example, files that are executable but are not named with the ".exe" file extension would be blocked.

Well, duh!

I simply added the '.' to the 'zip' so that it now reads '.zip' and I'm only blocking the file attachments named *.zip, not anything that happens to have some compression it in.

Now maybe the users and I will both be happy!

(Note: there is still a security risk that a bad zip payload with a fake extension like '.zzz' will pass through and the bad guy could ask the user to save and rename the file, but the likelyhood of a user being able to follow those directions is a fairly low risk and the benefit of passing Office 2007 file formats clearly outweighs my concern about this happening.)