Ummm... guys... as Ammo pointed out, "webmail attachments" are posted via a POST method in a form, often with ENCTYPE="multipart/form-data" and INPUT TYPE="file." About the easiest way to kill those is to setup a proxy and filter it (preferably a transparent proxy with something like squid (free) or Gauntlet or the like where all your web clients are forced through before they route to the Internet).

You might also be able to use something such as an "ad filter" (something like "AdSubtract" for example) and convince it that these tags are an "advertisement" that it needs to kill... problem there being that clients local to the end-luser's box can often be disabled or otherwise circumvented (hence the proxy idea).

...but, if someone really wants to get out of your network, there's not really sh*t you can do about it, save setting about user authentication for every outgoing connection... even with only web access or SSL (or SMTP or ident or... blah blah blah), there's basically nothing stopping me from setting up an encrypted TCP tunnel out of your network to another host where I can route or proxy requests out as I see fit... typically the way many of us get around HTTP filters or similar, anyway.

Hope this somehow helps...