Overview
The HTML Sanitizer is one of the EmailSecurity filters that blocks unwanted emails by scanning and removing scripting code within the email body as well as attachments.
The engine checks the HTML message body of the emails that are processed to remove any HTML containing malicious code while maintaining the format of the message that was processed, even if the scripts have been removed.
HTML Sanitizer includes the possibility to exclude certain email from HTML Sanitizing. Customers can choose to whitelist an email address or an entire domain.
The next sections describe how this filter works as well as how to configure it.
Introduction
The HTML Sanitizer filter removes all scripting code from the HTML of emails and attachments (*.htm/*.html only). Content, layout, and formatting are not altered. Emails scanned by this filter are guaranteed to be received free of HTML Scripting code and are therefore safe for viewing.
The HTML Sanitizer identifies and removes scripting code within the email body and attachments by scanning:
- the body of emails that have the MIME type set to “text/html”
- all attachments of type .htm or .html.
The information used by the HTML Sanitizer engine is found in \GFI\MailEssentials\EmailSecurity\Data\scrubconfig.xml
. This file contains all the information on the allowed tags. The XML file has two main sections – The ‘<allowed>’ section, which lists the tags allowed in an HTML email, together with the attributes that are allowed for each tag, and the ‘<lut>’ section which shows the different value types that an attribute can have.
There is a hardcoded limit for the file size processed by HTML Sanitizer, which is set to 10MB. Larger files are not processed.
We will now discuss the following topics in more detail:
Description
Configuring the HTML Sanitizer
- Log on to the MailEssentials Configuration and navigate to GFI MailEssentials > Email Security > HTML Sanitizer.
- Enable the HTML Sanitizer by selecting the Enable the HTML Sanitizer checkbox.
- Select direction of emails:
Option | Description |
---|---|
Scan inbound SMTP emails | Scan and sanitize HTML scripts from all incoming emails. |
Scan outbound SMTP emails | Scan and sanitize HTML scripts from all outgoing emails. |
- Click Apply.
HTML Sanitizer Whitelist
The HTML Sanitizer Whitelist can be configured to exclude emails received from specific senders.
Note: To exclude specific IP Addresses or domains, use the HTML Sanitizer Domain\IP Exclusions feature.
To Manage Senders in the HTML Sanitizer Whitelist:
- Navigate to Email Security > HTML Sanitizer and select Whitelist tab.
- In Whitelist entry, key in an email address, an email domain (for example, *@domain.com), or an email sub-domain (for example, *@*.domain.com) and click Add.
- Note: To remove an entry from the HTML Sanitizer whitelist, select an entry and click Remove.
- Click Apply.
HTML Sanitizer Domain\IP Exclusions
The HTML Sanitizer Domain\IP Exclusions feature enables administrators to specify IP addresses or domains to exclude from HTML Sanitizer. This will not simply use an IP address list; it can also support domain addresses, which are then resolved at runtime so that all the IP addresses for the domain in question are obtained. This is done in two ways:
- By default, the feature queries the MX records of the domain being processed.
- Optionally, you can choose to have the SPF record of the domain queried. If the domain does not have an SPF record, the SPF part is ignored and only the MX records are used.
If the IP address from where the email originated (the one which sent to the perimeter server) is an IP listed in the Domains\IPs exclusions tab or resolved from a domain in the same list, then the email is not processed by HTML Sanitizer. The exclusion list also accepts domains, resolves the domains’ MX records, and (optionally) checks the SPF record to get IP addresses.
To manage Domain\IP Exclusions in the HTML Sanitizer Whitelist, follow the steps below:
- Navigate to Email Security > HTML Sanitizer and select Domain\IP Exclusions tab.
- Key in the domain or IP address to exclude and click Add.
- Note: To remove an entry from the HTML Sanitizer Domain\IP Exclusions, select the entry and click Remove.
- Optionally, select Query the SPF records of the specified domains for the list of the servers to exclude.
- Click Apply.