How the policy rule setting "All recipient must match (Email only)" works in DLP.

book

Article ID: 169546

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Network Prevent for Email

The setting "All recipient must match (Email only)" is confusing and difficult to understand. 

Resolution

Here we explain a number of test cases which demonstrate how the setting works. 

Email Test           Incident
1 [email protected] [email protected] [email protected] [email protected] [email protected] Yes
2 [email protected] [email protected] [email protected] [email protected]   Yes
3 [email protected] [email protected] [email protected]     Yes
4 [email protected] [email protected]       Yes
5 [email protected]         Yes

 

  • If you add an additional recipient [email protected] to the email being sent then no incident will be created with any of the above recipients as follows:
Email Test             Incident
1 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] No
2 [email protected] [email protected] [email protected] [email protected]   [email protected] No
3 [email protected] [email protected] [email protected]     [email protected] No
4 [email protected] [email protected]       [email protected] No
5 [email protected]         [email protected] No

 
With regards to the other setting “At least (#) recipient must match” the outcome is different as we could enable that option with the value of  # = 1 and have the following results:

Email Test             Incident
1 [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Yes
2 [email protected] [email protected] [email protected] [email protected]   [email protected] Yes
3 [email protected] [email protected] [email protected]     [email protected] Yes
4 [email protected] [email protected]       [email protected] Yes
5 [email protected]         [email protected] Yes
6 [email protected]         [email protected] Yes
7           [email protected] No

 

So the email would, in that case, need to contain at least 1 of the 5 recipients [email protected], [email protected], [email protected], [email protected], [email protected] but can also include any other email recipients outside of those listed in the rule which will trigger an incident whereas the “All recipient must match” cannot.