Sender/Recipient Matches Pattern Field - limitations and usage
search cancel

Sender/Recipient Matches Pattern Field - limitations and usage

book

Article ID: 160274

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

When setting up exception rules what are the field limitations for the "sender/recipient matches pattern" rule?

Cause

You want to configure recipient matching based on user email addresses, IP addresses or URL domains.

Resolution

The recipient rule has the ability to set domains in either/both of the "Email Address/Newsgroup Pattern" or "URL Domain" fields.  Within the product, the detection engine will apply the domain field to any traffic, i.e. HTTP, NNTP, SMTP, IM, etc. Email address will only be applied to messages that have identifiable users, i.e. SMTP and NNTP. The domain field therefore has the broadest capability, allowing a single rule to prevent any message flowing to a certain domain. Since the intention is to be broad at the domain level, a limit in the user interface was set as 512 characters. 

The email address field is intended to be more specific to email and newsgroups. As such, it provides the ability to enter specific emails or patterns, such as [email protected], @sales.company.com, sales.company.com or a discrete list of email addresses. 

DLP allows for a much larger list in the email field as a result. This field has no limit in the user interface. The database likewise no limit. The web application has a configured limit of 2MB for any posted data, so the actual limit is somewhat closer to 2MB.

In reality, the browser would need to be able to handle that large of a post. In addition, we would not recommend trying to push the limit due to the size of data being pushed through policy to Endpoint Agents and Detection Servers.

Please note that regex or wildcard is not supported with the Recipient Patterns Email Address or URL Domains field but only with the IP Addresses.*

 

 

 

 

 

The following is noted in the Product documentation what is supported: 

 

 

NOTE: The above behavior does change when using DLP with the Cloud Detection Service for CASB. If you wish to track whether users are sharing O365 OneDrive files with external email addresses such as Gmail or Hotmail - don't use the "URL Domain" field in this case as it will not generate matches when files are shared with those email domain. Instead, you should enter those domains in the "Email Address/Newsgroup Pattern" field - "gmail.com,hotmail.com".

 

Additional Information

*For this limitation, we have an open feature request "ISFR-2447 - Enforce - Ability to use regular expressions or wildcards in the Recipient Patterns field" to allow wildcards in email address section of recipient matches pattern condition. If you would like to add your organization as an endorser please contact our Technical Support. Also, we have feature request "PM-2701" to allow wildcards in URL domain section of recipient matches pattern condition.

References:

How many IP addresses can be entered into the IP address field of Sender/User Matches Conditions?

Configuring the Recipient Matches Pattern condition

Powered by Wolken Software