How to globally filter specific SMTP messages

book

Article ID: 159758

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor

Issue/Introduction

How can specific messages be filtered prior to being detected by policies?

This can be useful when certain emails sent to internal domains should be excluded from detection. 

Resolution

You can use global SMTP filter by doing the following:

- Login as Administrator
- Go to Administration > System Overview > click on the detection server
- Click on the packet capture section
- Click on the SMTP protocol
- In the L7 filter section "L7 recipient filter" you can enter
*@mydomain.com to ignore all messages sent to mydomain.com.
- Restart the detection server

NOTE: L7 filters only affect network monitor servers.

Please also note: For SMTP the following applies.

  • L7 Sender Filter: Any sender email (for SMTP/MSN IM) or IP addresses (for UTCP), proxy-authenticated user names (for proxied HTTP/FTP), or user names (for AIM/Yahoo IM) to be evaluated

  • L7 Recipient Filter: Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP), user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated

You can use filters to include (inspect) or exclude (ignore) messages from specific senders and/or to specific recipients. The specific filter syntax depends on the protocol. For example, for email addresses, you can use wildcards anywhere in the filter string:

  • *@vontu.com matches all email to/from vontu.com
  • *.vontu.com matches all email to/from any subdomains of vontu.com.
  • *vontu.com matches all email to/from any email address ending in vontu.com.
  • [email protected] matches all email to/from [email protected]

You can add the following symbols to modify sender or recipient filters:

Plus sign (+)

Any email address mask preceded by a plus sign (+) keeps matching messages for inspection. For example, if you add the sender filter +*@abc.com, all messages sent from anyone in the abc.com domain are inspected.

Minus sign (-)

Any email address mask preceded by a minus sign (-) excludes matching messages from inspection. For example, if you add the recipient filter -*@xyz.com, all messages sent to anyone in the xyz.com domain are not inspected.

Asterisk (*)

If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@abc.com,*, all messages from anyone in the abc.com domain are inspected, but all other messages are ignored.


The order in which filters are evaluated is from left to right. For example, if you add the recipient filter

[email protected], +*@xyz.com,*
, all messages sent to [email protected] are ignored, and all messages sent to anyone in the xyz.com domain are inspected. (The last asterisk tells the filter to ignore all other messages.)

In case of conflicting sender and recipient filters (for example, if the sender filter for a particular message evaluates as "inspect" and the recipient filter evaluates as "ignore"), the message resulting in such a case is ignored.

If you add multiple exclusion masks to a recipient filter, all message recipients must match any of the exclusion masks for the message to be excluded.  For example, if the recipient filter is -*@xyz.com, -*@abc.com, all messages sent to xyz.com and abc.com domains are ignored; however, messages sent to either xyz.com or abc.com (but not both) are inspected. If messages have any additional recipients in other domains, the messages are inspected.

You can monitor messages sent from the xyz.com domain but ignore message sent to that domain by adding the following filters:

Sender Filter: +*@xyz.com, *

Recipient Filter: -*@xyz.com

Please note: The recipient filter only filters out messages where *all* the recipients (including cc and bcc) match a filter condition. 

V11 Note:
When previous L7 filters are set to *@company.com, *@*company.com in V11, the exclusions that are *@company.com stopped working. Changing the exclusion to simply @company.com makes the exclusion works.

This Bug has been addressed in V 11.1.1 and usage will be as outlined in the documentation and in previous versions.