Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP), user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated.
You can use filters to include (inspect) or exclude (ignore) messages from specific senders or to specific recipients. You must precede each entry with a plus sign (+) or minus sign (-) to include or exclude matching results. For example:
Any email address mask that starts with a plus sign (+) keeps matching messages for inspection. If you add the sender filter +*@abc.com, all messages that are sent from anyone in the abc.com domain are inspected.
Any email address mask that starts with a minus sign (-) excludes matching messages from inspection. If you add the recipient filter -*@xyz.com, all messages that are sent to anyone in the xyz.com domain are not inspected.
If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@abc.com,*, all messages from anyone in the abc.com domain are inspected, but all other messages are ignored.
You can also include asterisk wildcards elsewhere in the address strings. The specific filter syntax depends on the protocol. For example, for email addresses you can use wildcards anywhere in the filter string as follows:
+*@symantec.com inspects all email to/from symantec.com.
+*.symantec.com inspects all email to/from any subdomains of symantec.com.
-*symantec.com excludes all email to/from any email address ending in symantec.com.
-phil@fakedomain.com excludes all email to/from phil@fakedomain.com.
The order in which filters are evaluated is from left to right. For example, if you add the recipient filter
-ceo@xyz.com, +*@xyz.com,*,all messages that are sent to ceo@xyz.com are ignored, and all messages that are sent to anyone in the xyz.com domain are inspected. The last asterisk tells the filter to ignore all other messages.
If the sender and recipient filters conflict, the resulting message is ignored. For example, this situation can happen if the sender filter for a particular message evaluates as "inspect" and the recipient filter evaluates as "ignore."
If a recipient filter has multiple exclusion masks, recipients can match any of the exclusion masks and the message is excluded. For example, if the recipient filter is -*@xyz.com, -*@abc.com, all the messages that are sent to xyz.com and abc.com domains are ignored. Also, the messages that are sent to either xyz.com or abc.com (but not both) are ignored. If messages have any additional recipients in other domains, the messages are inspected.
You can monitor messages sent from the xyz.com domain but ignore message sent to that domain by adding the following filters:
L7 Sender Filter: +*@xyz.com, *
L7 Recipient Filter: -*@xyz.com