Data Loss Prevention

 View Only

  • 1.  Network Prevent: SMTP Block not working

    Posted Feb 20, 2019 10:07 AM

    I would like help on the issue which I’m facing right now is that the email are still being sent out to the receiving party despite the SMTP block response rule. I have verified that on the incident, the response rule action has been taken according to its history. 

     

    FYI, the Network Prevent for Email is inline mode between a Messaging Gateway and Exchange and not in Trial mode.



  • 2.  RE: Network Prevent: SMTP Block not working

    Posted Feb 21, 2019 04:37 AM

    Hello Pan,

    It depends of the architecture you choose.

    We usualy choose to add a header (like x-CFilter :) into the mail that could be detected in SMTP relay (Messaging gateway) and being blocked and retain.

    With regards



  • 3.  RE: Network Prevent: SMTP Block not working

    Posted Feb 21, 2019 04:41 AM

    Hi Pan,

     

    Looks like you have the perfect flow above so should realitically work, the only thing I can think of that would be preventing the block rule is conditions in your rule/response not matching, so it will generate an incident saying 'FYI' but no block as didn't meet criteria.

     

    The most common one for this is for example if your rule states find SMTP traffic to this email address - Severity 'medium', if your response rule says 'Block action to email address - Severity 'high' 

     

    The block response will never actually happen, as the response rule says it might be classed as high severity (typically used for multiple rules) and your rule is only triggering medium incidents,

     

    I hope this helps,

     

    If not, let me know and I'll try help further but everything appears to be ok set up wise,

     



  • 4.  RE: Network Prevent: SMTP Block not working

    Posted Feb 21, 2019 04:42 AM

    The block response will never actually happen, as the response rule says it must be classed as high severity (typically used for multiple rules) and your rule is only triggering medium incidents,

     

    edit: Amended typo



  • 5.  RE: Network Prevent: SMTP Block not working

    Posted Feb 21, 2019 07:48 AM

    Hi, Thomas.

    What would you suggest? My architecture is as follow:

    Exchange -> Network Prevent for Email -> Trend Micro Messaging Gateway.

    So, the response rule I should choose is modify header and have the Messaging Gateway do the blocking based on the header?

    If I wish to use Network Prevent: Block SMTP with bounce message back to sender,

    What configuration is necessary on the Exchange to process bounced message from the Network Prevent?

     

    Hi, Nathan.

    I made sure the response rule's condition is set properly and it even said Message Blocked in the incident so I do not think the response rule is incorrect.



  • 6.  RE: Network Prevent: SMTP Block not working

    Posted Feb 21, 2019 10:27 AM

    Pan,

    you can use the felxresponse Network Prevent : Block SMTP in any mode you want (Forwarding mode or Reflecting mode).

    The way we use it is what component you want to store the blocked mails (on my company, it's store 10 days before deletion)

    We usualy use another MTA to store them because the Symantec DLP is not the aim of the tool to do that.

    With regards.



  • 7.  RE: Network Prevent: SMTP Block not working

    Posted Feb 28, 2019 09:54 AM

    Pan - Response rules will be different based on how you want to accomplish

    if you want DLP to drop the message, not forward to Trend, use
    "Network Prevent: Block SMTP Message"
    No special configuration needed by Exchange to work.

    If you want Trend to drop the message, use
    "Network Prevent: Modify SMTP Message" and insert header string of your choice then configure Trend to look for that same string.  Verify it is being inserted into header by DLP.