Data Loss Prevention

 View Only

  • 1.  Recipient L7 filter

    Trusted Advisor
    Posted Jun 14, 2012 07:29 AM

    Hello,

     

     in Network monitor configuration, you can setup some L7 filter on SMTP protocol for email recipient. For example, it can be used to exclude some domain not managed by your mail system but owned by your company.

     But It seems that when you set a list of domains, only emails matching all domains will be excluded from monitoring (at least this is what is described in "Help" page). Does someone confirm it works like that ?

    So does anyone know a way to exclude only if some part of your email domain white list are included in messages ? (except defining exception in policy as it will be very difficult when you have lot of policies and from computer ressource point of view it is not very efficient).

     

    So does someone know if IP filter works also like that ? So for IP it will means that you can add only one filter as IP destination cant be equal to a full list..

     

    And last question on L7 filter, do you which configuration is taken into accoutn if you define some filter in protocol setup and in network monitor configuration ?



  • 2.  RE: Recipient L7 filter

    Posted Jun 14, 2012 11:22 AM

    you can create custom filters in the network monitor for smtp protocol per domain, i also seem to remeber that there was a global filter option but some here have had issues with it. 

    the filter should look something like this per domain, 

    -*@emaildomain.com

     

    what this statement is saying is that if email form the "emaildomain.com" comes in it is to ignore it. 

    if you are looking for something else let me know 

     



  • 3.  RE: Recipient L7 filter

    Posted Jul 23, 2012 12:01 PM

    Hi,

    I have a similar question - I want to exclude mail destined for an internal IP range (10.x.x.x) which are all going to be internal or incoming email.

    I have tried adding this IP filter into the recipient filtyer field :-

    -,*,10.0.0.0/8;+,*,*

    But that seems to ignore all smtp traffic.

    I can't put all the domains as it exceeds the 512 character  limit.

    Any thoughts?



  • 4.  RE: Recipient L7 filter

    Posted Jul 23, 2012 05:48 PM

    @bluehandle - you're doing it wrong.  Yes, the filter as you have it will likely exclude all SMTP traffic because it's saying to ignore all traffic from the 10. subnet.  The syntax of the IP filters is:

       {+|-},{recipient},{sender}

    You got the second part right however. You do want to have that +,*,* in there which tells the system to inspect everything else.  Your IP filter in this case should be:

       -,10.0.0.0/8,*;+,*,*

    This says "ignore everything going to the 10. subnet...inspect everything else.

    @stephane - it sounds like you misinterpreted what you read in the help (not that the help is always exceedingly clear).  What I think you read was that in order to ignore the message (when using a recipient L7 filter), all recipients must match one of the filtered domains.  So, if you do a L7 recipient filter like this:

      -@domainA.com,-@domainB.com

    ...an email being inspected would have to be going only to recipients at domainA.com or domainB.com.  If an email had recipients at domainA.com, domainB.com, AND domainC.com, it would get inspected.

    On a L7 Sender filter, the same doesn't really apply, since an email can only have one sender.  The same filter written above, used in a L7 Sender filter, would tell the system to igore any email from senders with a domainA.com or domainB.com email address.

    Hope that helps.

    ~Keith

     



  • 5.  RE: Recipient L7 filter

    Posted Jul 31, 2012 01:16 AM

    Hi Stephan,

    NOTE: L7 filters only affect network monitor servers.

    Please also note: For SMTP the following applies.

    • L7 Sender Filter: Any sender email (for SMTP/MSN IM) or IP addresses (for UTCP), proxy-authenticated user names (for proxied HTTP/FTP), or user names (for AIM/Yahoo IM) to be evaluated

    • L7 Recipient Filter: Any recipient email (for SMTP/MSN IM/FTP) or IP addresses (for UTCP), user names (for Yahoo IM/AIM), or URLs (for HTTP) to be evaluated

    • Plus sign (+)

      Any email address mask preceded by a plus sign (+) keeps matching messages for inspection. For example, if you add the sender filter +*@abc.com, all messages sent from anyone in the abc.com domain are inspected.

      Minus sign (-)

      Any email address mask preceded by a minus sign (-) excludes matching messages from inspection. For example, if you add the recipient filter -*@xyz.com, all messages sent to anyone in the xyz.com domain are not inspected.

      Asterisk (*)

      If you add an asterisk (*) to the end of the filter expression, any message not explicitly matching any of the filter masks is ignored. For example, if you add the sender filter +*@abc.com,*, all messages from anyone in the abc.com domain are inspected, but all other messages are ignored.

    Sender Filter: +*@xyz.com, *

    Recipient Filter: -*@xyz.com

     

    Please note: The recipient filter only filters out messages where *all* the recipients (including cc and bcc) match a filter condition.