Exchange : PDF Attachment Inspection in Exchange 2010 using Transport Rules and Adobe PDF iFilter 9


The scope of this article is to show you how you can  inspect emails with attachments that are containing unappropiate words and send a custom delivery status notification (DSN).

Exchange 2010 can perform attachment inspection only for the following file types :

.ascx .asm .asp .aspx .bat .c .cmd .cpp .cxx .def .dic .doc .docx .dot
.h .hhc .hpp .htm .html .htw .htx .hxx .ibq .idl .inc .inf
.inx .js .log .m3u .mht .odc .one .pl .pot .ppt .pptx .rc
.reg .rtf
.stm .txt .url .vbs .wtx .xlc .xls .xlsb .xlsx .xlt .xml .zip

The list can be found under the registry key:


As you can see PDF is not listed above so email with attachments of this type containing unappropiate words will be allowed.

Initial Setup – Creating the transport rule for attachment inspection :

1.Define the custom DSN system message that will be sent ( only for internal mailflow )

New-SystemMessage -DsnCode 5.7.998 -Language en -Internal $true -Text "Custom DSN : The attachment contains unappropiate words"

2.Create the transport rule

New-TransportRule -Name 'AttachmentInspection' -Comments '' -Priority '0' -Enabled $true -AttachmentContainsWords 'fuck' -RejectMessageReasonText 'The attachment contains unappropiate words' -RejectMessageEnhancedStatusCode '5.7.998'

Now the rule for attachment inspection has been.

Configuring PDF inspection :

1.Install the Adobe PDF iFilter on the hub transport server

2.Check if the CLSID registry key was created ( using PS or regedit.exe ) :

cd HKCR:
cd .\CLSID
Get-ChildItem -Name "{E8978DA6-047F-4E3D-9C78-CDBE46041603}"


* The HKEY_CLASSES_ROOT drive must be created for the above to work as follows

New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT


3.Create a new registry key under


with the same name as the CLSID found earlier

cd HKLM:\Software\Microsoft\ExchangeServer\v14\MSSearch\CLSID

New-Item -Name "{E8978DA6-047F-4E3D-9C78-CDBE46041603}" -Force


4.Set the value of the newly created key to the path of PDFFilter.dll file

Set-Item -Path ".\{E8978DA6-047F-4E3D-9C78-CDBE46041603}" -Value "C:\Program Files\Adobe\Adobe PDF iFilter 9 for 64-bit platforms\bin\PDFFilter.dll"


5.Create a new key under

HKLM\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters with the name of the pdf extension. The value of this key will be the CLSID of the IFilter from above

cd HKLM:\Software\Microsoft\ExchangeServer\v14\MSSearch\Filters
New-Item -Name ".pdf" -Force
Set-Item -Path ".pdf" -Value "{E8978DA6-047F-4E3D-9C78-CDBE46041603}"


6.Grant to NETWORK SERVICE account read permissions account for Filters and CLSID


7.Restart the MS Exchange Transport service

Restart-Service msexchangetransport

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s