Attachment blocking by size does not match MTA behavior

book

Article ID: 159824

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email

Issue/Introduction

When you configure a policy to block attachments above a certain size, you notice that some messages are allowed by Prevent that would be blocked by the SMTP MTA.

Resolution

When binary attachments are sent via email, the SMTP client must encode them in a format that is compatible with a text-based medium such as email. The process for doing so is called MIME, and the most common encoding scheme is Base64. The encoding process for Base64 increases the size of the transmitted data by roughly 37 percent.

MTAs that impose size limits calculate them based on the overall size of the message after MIME encoding. However, DLP extracts the content into its native format before determining the size. So, for example, if a DLP policy is set to block attachments over 30MB in size, and the MTA downstream of the DLP server also blocks messages over that size, then a message with a 25MB attachment would be allowed by DLP, and then blocked by the MTA (because its size after encoding is 25 x 1.37 = 34.25MB).

To use DLP to avoid sending attachments that would be blocked, you would need to compensate for this effect by setting the policies to block attachments of a smaller size.