How the policy rule setting "All recipient must match (Email only)" works in DLP.
Article ID: 169546
Updated On:
Products
Issue/Introduction
Symantec Data Loss Prevention (DLP)
Network Prevent for Email
The setting "All recipient must match (Email only)" is confusing and difficult to understand.
Resolution
Here we explain a number of test cases which demonstrate how the setting works.
- If the cell is empty then the recipient is not listed in the mail being sent.
- If you have 5 recipients [email protected], [email protected], [email protected], [email protected], [email protected] specified in the rule then an incident will match in the following cases where each is listed in the email To:
| Email Test | Incident | |||||
| 1 | [email protected] | [email protected] | [email protected] | [email protected] | [email protected] | Yes |
| 2 | [email protected] | [email protected] | [email protected] | [email protected] | Yes | |
| 3 | [email protected] | [email protected] | [email protected] | Yes | ||
| 4 | [email protected] | [email protected] | Yes | |||
| 5 | [email protected] | Yes |
- If you add an additional recipient [email protected] to the email being sent then no incident will be created with any of the above recipients as follows:
With regards to the other setting “At least (#) recipient must match” the outcome is different as we could enable that option with the value of # = 1 and have the following results:
So the email would, in that case, need to contain at least 1 of the 5 recipients [email protected], [email protected], [email protected], [email protected], [email protected] but can also include any other email recipients outside of those listed in the rule which will trigger an incident whereas the “All recipient must match” cannot.
Feedback
