Content Filtering and Scanning Script    Download Script

The following script is an event sink script that can do some basic content filtering or report/copying of attachments in users mailboxes. With some adaptation is can also be used to scan incoming and outgoing messages from an email server or it could be combined with another script to do content searches through user mailboxes.

How it works

I have created a few versions of this script that have been adapted to perform various different tasks. To start with the most basic concept of this script I’ll start with the onsave event sink script. This script is designed to be attached to a user’s mail box and will monitor all incoming email and copy any mail that comes in with certain types of attachments to a content monitor mailbox. (in my example the monitor mailbox is called newb3).

As always I've used a two step approach to firing this event this adds a layer of abstraction for the Exchange event sinks. My event sink code looks as follows

<SCRIPT LANGUAGE="VBScript">

Sub ExStoreEvents_OnSave(pEventInfo, bstrURLItem, lFlags)

Stm = bstrURLItem
set WshShell = CreateObject("WScript.Shell")
strrun = WshShell.run ("c:\evtsink\cscan.vbs " & stm)
set WshShell = nothing
End Sub

</SCRIPT>

This piece of code spawns a process that starts the main script and passes the URL of the email that caused the event. This is the piece of code that is registered as an event sink..

Main Script cscan.vbs

 The fount end of this script processes the parameters sent to it by the event sink code.  The next part of the script sets up the necessary ADO parameters to copy mails into the monitor mailbox. Note this mailbox must exist on the same Information store as the mailboxes where the eventsink is attached. It’s not possible to copy items across information stores eg from one private mail store on one server to another private mail store on another server. You also cannot copy from a private information store to a public information store on the same server so you must use a mailbox within the store you are doing any content filtering on. (You need to consider when you thinking about messages that they contain pointers to attachments not the attachments themselves so if you where to copy a message from one store to the other then the attachment pointers would no longer be valid on the message.)

Set Conn = CreateObject("ADODB.Connection")
Conn.Provider = "ExOLEDB.DataSource"
Set msgobj = CreateObject("CDO.Message")
inbstr1 = "file://./backofficestorage/AD.man.net.au/MBX/newb3/Inbox/"

The next part of the script uses CDO to open the message and then loop through any attachments on that message. It then uses some nested if statements to look at the last 4 letters in the attachment name to see if they are of a type that you wish to monitor eg .jpg. Note the searchers are not case sensitive (this is why the 1 is used in the instr statements). If a match is found it then saves the mail to the monitor mailbox's inbox. Savetocontainer is used because it will ensure a unique URL name is generated for the mail that is saved to the monitor inbox. EG if this wasn’t done and you had the eventsink attached to two mailboxes that received the same message this would cause a problem when you tried to save the second message with the same name. Some code is also used to ensure if the message has multiple attachments that it does get saved multiple times to the monitor mailbox.

msgobj.DataSource.Open inbstr
cont1 = 0
Conn.Open inbstr1, ,3
For Each objAttachment In msgobj.Attachments
            if cont = 0 then
                      fatt1 = len(objAttachment.filename)
                       fatt2 = fatt1 - 3
                        if instr(fatt2,objAttachment.filename,"AVI",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"MPG",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"JPG",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"BMP",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"GIF",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"PEG",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"VIE",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"MPE",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"ANI",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"MPZ",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"ASR",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"DVI",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"IMJ",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"M1V",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"QTM",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,".QT",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if instr(fatt2,objAttachment.filename,"ZIP",1) then
                                    set idsrc1 = msgobj.datasource
                                    idsrc1.savetocontainer inbstr1,conn
                                    cont = 1
                        else if cont = 0 then
                                    set msgobj = nothing
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
                        end if
            end if
next

If you want to extend the number of files that the script scans for just add some more nested if statements.

Registering this script

For details on installing and registering this script see my previous article Using VBS Event Sink scripts with the Web Storage System. Or have a look in the ESDK search for regevent.vbs. 

Extending the script

This script is written to work as an onsave event sink. With very few adjustments it could also be used as a SMTPevent sink that could monitor all incoming and outgoing messages. Instead of copying messages as I have done in this code you could add lines that deleted certain messages or attachments from the message. I would suggest however if you are going to be doing blanket blocking of attachments that you are far better of using the attachment blocking features that are built into most antivirus products because you will achieve much greater performance from these. If you do want to use code on a production system its recommended that you port the code to a VB.dll or C++ which gives much greater performance over VB scripts. See my other article on tips on doing this

Download Script