How to globally filter specific SMTP messages
Article ID: 159758
Updated On:
Products
Issue/Introduction
This can be useful when certain emails sent to internal domains should be excluded from detection.
Environment
DLP 15.8+ (Email Prevent and Network Monitor)
Resolution
An option is global SMTP filter.
Creating a global SMTP filter:
- Login as Administrator
- Go to System > Settings > Protocol
- Click on the SMTP protocol
- Expand "Filtering (may override at server level)" and go down to section "L7 recipient filter" where you can enter the filter.
+ means include ( and drop)
- means exclude (and drop)
* means drop
Assure the services are restarted after making any changes to the Protocol.
Example:
Sender: [email protected]
To drop this sender the following syntax should used:
[email protected], +*@example.com, *
The following syntax is incorrect as everything after *.example.com will be dropped.
+ *.example.com, [email protected]
NOTE: L7 filters only affect network monitor servers.
Please also note: For SMTP the following applies.
-
L7 Sender Filter: Any sender email (for SMTP/MSN IM) or IP addresses (for UTCP), proxy-authenticated user names (for proxied HTTP/FTP), or user names (for AIM/Yahoo IM) to be evaluated
- L7 Recipient Filter: Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP), user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated
You can use filters to include (inspect) or exclude (ignore) messages from specific senders and/or to specific recipients.
The specific filter syntax depends on the protocol.
For example, for email addresses, you can use wildcards anywhere in the filter string:
*@example.com - matches all email to/from example.com
*.example.com - matches all email to/from any subdomains of example.com
*example.com - matches all email to/from any email address ending in example.com.
phil@<somedomain>.com - matches all email to/from [email protected].
You can add the following symbols to modify sender or recipient filters:
|
Plus sign (+) |
Any email address mask preceded by a plus sign (+) keeps matching messages for inspection. For example, if you add the sender filter +*@example.com, all messages sent from anyone in the example.com domain are inspected. |
|
Minus sign (-) |
Any email address mask preceded by a minus sign (-) excludes matching messages from inspection. For example, if you add the recipient filter -*@example.com, all messages sent to anyone in the example.com domain are not inspected. |
|
Asterisk (*) |
If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@example.com,*, all messages from anyone in the example.com domain are inspected, but all other messages are ignored. |
The order in which filters are evaluated is from left to right.
For example, if you add this recipient filter all messages sent to [email protected] are ignored, and all messages sent to anyone in the example.com domain are inspected. (The last asterisk tells the filter to ignore all other messages.)
[email protected], +*@example.com,*,
In this example, if the sender filter for a particular message evaluates as "inspect" and the recipient filter evaluates as "ignore", in the case of conflicting sender and recipient filters, the message result in such a case is ignored.
If you add multiple exclusion masks to a recipient filter, all message recipients must match any of the exclusion masks for the message to be excluded.
For example, if the recipient filter is all messages sent to example.com and <anotherdomain>.com, domains are ignored; however, messages sent to either example.com or <anotherdomain>.com (but not both) are inspected.
If messages have any additional recipients in other domains, the messages are inspected.
-*@example.com, -*@<anotherdomain>.com
You can monitor messages sent from the example.com domain but ignore message sent to that domain by adding the following filters:
Sender Filter: +*@example.com, *
Recipient Filter: -*@example.com
Please note: The recipient filter only filters out messages where *all* the recipients (including cc and bcc) match a filter condition.
Additional Information
SMTP recipient
Test Case 1
smtp recipient filter:
[email protected], -*example.com,-*<anotherdomain>.com
Send email to bob and another user at example.com. Email should be processed
Send email to non-bob at example.com and non-bob@<anotherdomain>.com Email should be dropped
Send email to non-bob at example.com and non-bob@<anotherdomain>.com and non-bob@<yetanotherdomain>.com. Email should be caught
Test Case 2
smtp recipient filter:
[email protected], -*example.com,-*<anotherdomain>.com,*
Send email to non-bob at example.com and non-bob@<anotherdomain>.com and non-bob@<yetanotherdomain>.com. Email should be dropped
Test Case 3
smtp recipient filter:
-*@example.com
Send mail to [email protected]. Email should be caught
Send mail to [email protected]. Email should be dropped
SMTP sender
Test Case 1
smtp sender filter:
[email protected], -*example.com,-*<yetanotherdomain>.com
Send email from bob and another user at example.com. Email should be processed
Send email from non-bob at example.com. Email should be dropped
Send email from non-bob@<yetanotherdomain>.com. Email should be caught
Test Case 2
Smtp sender filter:
[email protected], -*example.com,-*<yetanotherdomain>.com,*
Send email from non-bob@<yetanotherdomain>.com. Email should be dropped
Test case 3
Smtp sender filter:
-*@example.com
Send mail from [email protected]. Email should be caught
Send mail from [email protected]. Email should be dropped
Test case 4
Smtp sender filter:
[email protected],+*example.com
Send mail from [email protected]. Email should be dropped
Send mail from [email protected] Email should be caught
Send mail from bob@<yetanotherdomain>.com. Email should be caught
Feedback
