Company Site Excel Micro Videos Proofpoint Videos Mimecast Videos VIPRE Videos Billing/Invoice Sign in
Start a conversation
  1. Excel Micro
  2. Proofpoint Essentials™
  3. PPE Configuraton Information

[Essentials] Filters Best Practices

Filter Emails based on Country of Origin

The Detail view of an email permalink contains a field named Client Geo IP Lookup, which contains the Country of origin for the sending IP address of that message.
If you are receiving an unwarranted amount of emails from a specific country that you know you do not do business with, then it is possible to quarantine messages from said country.
It is even possible to quarantine all messages except for those from a specific country.
For steps on how to implement this, see the following article: https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/090_filtersandsenderlists/Filter_mail_from_a_specific_Country_of_Origin
 

Filter Phishing Emails that Spoof CEO/VP

Bad actors will sometimes target smaller businesses with phishing attacks aimed at End Users. These threats often spoof a CEO, Executive or VP in the “From” Header of the email to trick the user into sending money to an external account. 
These threats are often hard to detect because they contain next-to-no malicious content, and the “From” Header being different to the Envelope Sender is a common practice and not necessarily indicative of spam.
Luckily, you can set up a custom filter to quarantine these messages while allowing messages from the CEO’s genuine external email addresses. The following article details the creation of this Filter:- https://help.proofpoint.com/Proofpoint_Essentials/Spoofed_Email_Headers%3A_Name_spoofing%2C_Imposter_spoofing%2C_or_CEO%2C_VP_Impersonation
 

DLP Filters

There are two main tools that can be utilized within Custom Filters to prevent the loss of sensitive data, these are:

  • Smart Identifier Scan: pre-defined regular expressions are used to match with specific content in an email, such as Credit Card Numbers.
  • Dictionary Scan: pre-defined regular terms such as Credit Card Terms like “Visa Debit” are used to locate emails containing this information.

To reduce the number of DLP false positives, and to simplify the identification of which terms are causing emails to flag incorrectly, there are two practices that we suggest:

  1. Use Smart Identifier Terms in combination with Dictionary Terms, reducing the risk of false flagging.
  2. Create Multiple DLP Filters with a smaller number of terms instead of one Filter will all DLP terms, for example:
    1. Credit Card Filter: looks for Credit Card Numbers & Terms
    2. Driver License Filter: looks for Drivers License Numbers & Terms

Additional DLP Resources:
https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/Other_Features/Data_Loss_Prevention_(DLP)_FAQs
https://help.proofpoint.com/Proofpoint_Essentials/Email_Security/Administrator_Topics/Other_Features/Data_Loss_Prevention_(DLP)_-_What_are_Smart_Identifier's_and_How_to_Use_Them
https://help.proofpoint.com/Proofpoint_Essentials/How_to_Create_Custom_DLP_Filter_Policy_Rule
 

Combining Filter Criteria for Authentication

Support will often advise to be as explicit as possible when adding an entry to the safe sender list (for example, IP address is preferred to *@domain.com). This advice also applies to filters and using a combination of criteria is much more secure than just allowing all messages from a domain. For example, the following logic can be used if you know:

  1. The sender’s address
  2. The IP address of the sending server
IF      Sender Address IS sender@domain.com
AND     Email Headers CONTAIN(S) ALL OF 123.456.789.10
DO      Allow
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Carlos Rios

  2. Posted
  3. Updated

Comments