How to detect or block e-mails sent to public domains
search cancel

How to detect or block e-mails sent to public domains

book

Article ID: 369605

calendar_today

Updated On:

Products

Data Loss Prevention Core Package Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Email

Issue/Introduction

As a part of the company policy design it may be required to detect or block e-mails sent out to public domains. This knowledge base article describes the basic idea behind designing such a DLP policy. It can be use as the basis or starting point for a more complex policy. The information in the article will focus on the basics of the concept.

Please note that creating policies without content match context is not advised. The Recipient Matches Pattern and/or protocol conditions, should be mixed with content detection as an additional layer rather than exclusive conditions. The DLP product is designed around content inspection and detection. Using the domain and/or protocol conditions only may lead to false positives and may cause excessive performance impact on the detection servers and Enforce server when used as network security filtering solution. Content match detection rules include for example "Content Matches Keyword", "Content Matches Data Identifier", "Content Matches Exact Data". For the full list of content match conditions refer to the below document:

Adding a Rule to a Policy (broadcom.com)

Resolution

The condition (rule) that allows to detect e-mails sent to specific domains is called "Recipient Matches Pattern". It can be used either for policy detection rules, or exceptions. By default the "Recipient Matches Pattern" condition is available in the "Groups" tab of the policy creation interface. This way the condition/exception can be added to apply to the whole policy. Alternatively the same condition can be used as a compound condition to other detection rules/exceptions in the "Detection" tab. A compound condition is a condition added on top of another rule. For example it can be added along a "Content Matches Keyword" rule in the "Also Match" section of the condition. 

Please note that DLP does not contain a list of public e-mail domains, nor it's able to detect whether an e-mail address domain is external or internal. This particular policy design will require preparing a list of those manually. However a reverse approach can be used so a policy exception for all internal domains using the same concept. The difference would be using internal domains in the list instead of public and using those as exceptions in the policy rather than detection rules.

The process of creating such policy can be broken down into a couple steps:

1. Create a blank new or edit an existing policy

2. In the Groups tab of the policy add the rule "Recipient Matches Pattern"

3. After clicking Next a configuration window will be displayed with 3 fields to be filled - Email Address/Newsgroup Pattern, IP Address, URL Domain. For the purpose of e-mail detection policy the first one needs to be used. Insert any public domains that you'd like to detect or block into the Email Address/Newsgroup Pattern field. The correct syntax is as follows:

outlook.com

yahoo.com

No wildcards (*) or @ should be used. Different domains need to be separated by new lines (enter) or commas (,).

4. Hit "OK" to add the condition to the policy. It is now ready to detect e-mails going to the public outlook.com and yahoo.com domains. More can be added at any time.

5. If the policy needs to block such e-mails it is then necessary to add an appropriate response rule. To block on Endpoint Agent the response rule would need to be "Endpoint Prevent: Block", to work on the Network Prevent for E-mail servers the response rule needs to be "Network Prevent: Block SMTP Message". Both can be combined in the same policy to block on both levels, so as the e-mail is sent from Endpoint (Outlook & Lotus Notes) and as the e-mail is forwarded to the NPE server by the internal MTA for detection.

6. Lastly, once the policy configuration is finished, hit the "Save" button in the top section of the screen.

Additional Information

1. To save time during policy creation where the same list of domains needs to be applied to larger amount of policies "Reusable Recipient Patterns" can be used. 

The Reusable Recipient Pattern creation is described in the below documentation:

Configuring a Reusable Recipient Pattern (broadcom.com)

Note that in the reusable patterns the e-mail domains need to be separated with commas (,).

Once created those can be selected in the same condition type "Recipient Matches Pattern" but instead of configuring the domains manually the reusable pattern can be selected by marking the bullet point next to "Reusable Recipient Pattern"

 

2. By default when installed Network Prevent for E-mail servers are configured to Trial Mode. In Trial Mode all detection is working however the e-mails will not actually be blocked. This is a design feature that allows to test policies before enabling them in the environment to avoid blocking potential false positives during policy design phase.

To enable or disable the Trial Mode navigate to System -> Servers and Detectors -> Overview. Then click on the Network Prevent for E-mail servers name, on the new window click on Configure and lastly navigate to the "Inline SMTP" tab.

To allow blocking ensure that Trial Mode checkbox is unmarked:

Powered by Wolken Software