Video Screencast Help

Mail Prevent Filter

Created: 19 Jul 2012 | 2 comments
VBAL's picture

Is there any way to create an exception or filter for certain email senders in the DLP Mail prevent ?  NOT in every Detection Rule !!

The DLP network monitor has IP Filters, L7 Sender & L7 Recipients.....  The DLP Web Prevent has Ignore request for Host/Domains or Agents.....The DLP Endpoint Agents have IP Filters & HTTP Filters.

We need to filter some internal email addresses ( Example :  postmaster@domain.com ) and NOT BE redirected to DLP Mail Prevent for analisys.

The network infrastructure include Symantec Messaging Gateway appliance connected to DLP Mail prevent is reflect mode.  The internal mail server infraestructure is Microsoft Exchange, and this server is generating the Postmaster notification to internet destinations.

 

 

Comments 2 CommentsJump to latest comment

xlloyd's picture

I'd create an exception on the MTA so that it wouldn't pass the mails on to DLP in the first place. That depends on the capabilities of the MTA itself though.

If this post has helped you, please vote up or mark as solution
Thomas Fürling's picture

you can have you email system e.g. Exchange, to create an X-HEADER like "X-DLP: NOSCAN" and then create an exception in the detection based on that.

Before creating the X-HEADER you should make sure, that no X-DLP Headers are present (otherwise a user could bypass DLP). So the following approach would help:

  1. Remove all X-DLP header
  2. Create "X-DLP: NOSCAN" header in case selected mailboxes, senders, recipients etc. are involved
  3. Create a policy exception on that "X-DLP: NOSCAN" header
  4. After DLP check, make sure, that the X-DLP headers are removed before the mail leaves the company (is not critical but good practice to NOT show, that a DLP system was bypassed ;-)

This helps for mails leaving the company. If you need a solution, for company internal mail traffic, the solution will look more difficult.