Situation |
You want to create email filters to manage the flow of messages and information you allow to enter your company. |
---|---|
Solution |
Expanded Detailed Overview of the Filter Creation Process, including all Conditions and Rules |
Why Custom Filters?
Filters are here to make certain overrides in spam scanning where necessary.
- Allow certain types of emails through with different header pieces
- Block specific types of attachments
Please note that filters fall in a certain order throughout our scanning process. Please see this KB for the scan order: Mail Flow Scanning & Filters Order of Processing
Step 1: Start Creation
- Navigate to Security Settings > Email > Filter Policies.
- Select Inbound or Outbound.
- Click New Filter.
- Enter a name for your filter.
- You are presented one more chance to chose inbound or outbound.
- Click Continue.
Step 2: Scope (Applies only if you are not an End-User)
- The scope is who this rule applies for. There can be various selections
- Entire organization
- Single user
- Groups
Step 3: Select IF Conditions
Delimeters
Please note that the fields are delimited by a comma (,) or semi-colon (;).
A white space is not a delimiter, and may be part of a string (sentence).
Sender Address | string input, list of keywords separated by comma (,) or semi-colon (;) |
---|---|
Recipient Address | string input, list of keywords separated by comma (,) or semi-colon (;) |
Email Size (KB) | A specified size of an email including the attachment to an exact whole number. |
Client IP Country | Country list; input a country (This is an auto-fill, so start typing the country name.) |
Email Subject | string input, list of keywords separated by comma (,) or semi-colon (;) |
Email Headers | string input, list of keywords separated by comma (,) or semi-colon (;) |
Email Message Content | string input, list of keywords separated by comma (,) or semi-colon (;) |
Raw Email (Up to 10000 Lines) | string input, list of keywords separated by comma (,) or semi-colon (;) |
Attachment Type | choose from pre-defined types (see the list of files) |
Attachment Name | create a rule based upon a file name/type that is not part of the pre-defined type. |
Smart Identifier Scan | See this article for more information about this Data Loss Prevention (DLP) product. |
Dictionary Scan | See this article for more information about the Dictionary Scan DLP product |
Step 4: Rule Narrative
- See below for the full list of narratives to choose from.
Step 5: Add another Condition (for IF)
- Repeat steps 3 and 4 for adding more than 1 condition
It is best to limit the number of conditions. Too many conditions may not be easy to troubleshoot.
Step 6: Select Do Condition
Quarantine | put in the quarantine (see below for exception) |
---|---|
Allow | does not scan message; will pass to next filter or go onto next scan service. |
Nothing | scan message as normal; preferred method if wanting to add additional actions. |
Encrypt | only available on Outbound mail flow and if licensed at the company level. |
Step 7: Add Another Condition (For DO)
These set of actions are different and is best to limit the number of actions.
Alert Tech Contact | an email alert would be relayed to the Tech contact address. |
---|---|
Alert Specified Users | Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols. Email must be on the customer domain. |
Hide log | Will hide the email from logs/digest from ALL users (except for Proofpoint Support) |
Hide log from Non-admin Users | Will hide the email from logs/digest from all end-users |
Stop processing additional filters | Will stop processing any additional filters below this filter |
Require admin privileges to release | Requires an administrator to release the email |
Enforce completely secure SMTP delivery | Requires a certificate for TLS delivery (Certificate cannot be self-signed or contain errors, and must match the domain exactly on the certificate, excluding a wild card certificate) |
Enforce only TLS on SMTP delivery | Does not require a certificate |
Override Previous Destination - If selected, this option will ignore the destination that another filter may have applied to this message. This override means we can stop another rule's DO action from performing.
Rule Narrative
Upon selecting a condition, the rule narrative will populate based upon the condition.
RULE
- Sender Address – Choose the condition you want to match the sender address to, then enter the string of characters.
- IS
- IS NOT
- Recipient Address – Choose the condition you want to match the recipient address to match against, then enter the string of character.
- IS
- IS NOT
- Email Size (KB) – The size of the message is either greater or less than a specified whole number.
- IS GREATER THAN
- IS LESSER THAN
- Client IP Country – The conditions will compare against the listed country inputted.
- IS
- IS NOT
- Email Subject – Choose the condition you want the subject to match against, then enter the string. (This is an EXACT match only.)
- IS
- IS NOT
- Email Headers – Choose the condition you want the header to compare with, then enter the string.
- CONTAIN(S) ALL OF
- CONTAIN(S) ANY OF
- CONTAIN(S) NONE OF
- Email Message Content – Choose the condition you want the message body to compare with, then enter the string.
- CONTAIN(S) ALL OF
- CONTAIN(S) ANY OF
- CONTAIN(S) NONE OF
- Raw Email (Up To 10000 Lines) – Choose the condition you want the message body to compare with, then enter the string.
- CONTAIN(S) ALL OF
- CONTAIN(S) ANY OF
- CONTAIN(S) NONE OF
- Attachment Type – Choose what attachment condition you want
- IS
- IS NOT
- Manage (Attachment types)
- Windows executable components, installers and other vulnerabilities
- MS executable – *.exe
- MS binary libraries – *.dll
- MS executable scrpits – *.bat
- Visual Basic files – *.vb
- Other vulnerable MS files – *.ms_vul
- MS/Installshield Cabinet files - *.cab
- Other executable components and installers
- Other executables - *.unix_exe
- UNIX-like libraries - *.unix_dll
- Java binaries - *.java
- OS X DMG files - *.dmg
- OS X install scripts - *.mpkg
- Debian/RedHat packages - *.debrpm
- Office documents and archives
- MS Office, pre-2007 - *.ms_of
- XML, Zip, and newer Office documents - *.zipxml
- MS Access - *.ms_ac
- Other *Office files - *.doc_other
- Rich Text Format files - *.rtf
- Tape archives - *.ar_tape
- Compressed files - *.ar_file
- Other compressed archives - *.ar_other
- PDF files - *.pdf
- PostScript - *.ps
- TeX DVI files - *.dvi
- LaTeX documents - *.lat
- Audio/Visual
- Macromedia Flash data - *.flash
- Images - *.images
- Vector graphics - *.vgfx
- Windows Metafiles - *.wmf
- Cursors and icons - *.ani
- Multimedia/video containers - *.mmedia
- MPEG audio/video - *.mpeg
- RealNetworks audio/video - *.real
- Windows Media audio - *.wma
- FLAC audio - *.flac
- AIFF audio - *.aiff
- WAVE audio - *.wav
- MIDI audio - *.midi
- Any ‘audio/’ MIME type - *m_au
- Any ‘image/’ MIME type - *.m_im
- Any ‘video/’ MIME type - *.m_vi
- Other
- PGP encrypted data - *.pgp
- Undecipherable attachments - *.undeciph
- Windows executable components, installers and other vulnerabilities
- Attachment Name – Choose the condition then enter the string of what you want to proceed with
- IS
- IS NOT
- Smart Identifier Scan - See linked KB for this DLP product
- Dictionary Scan - See linked KB for this DLP product
Rule choices defined:
- IS - Single case condition, and filter will only act if this condition is met.
- IS NOT - Single case condition, and filter will only act if this condition is met.
- IS ANY OF - Multiple case condition; filter will act when any condition listed is met
- IS NONE OF - Multiple case condition; filter will act if one of the conditions listed is met.
- CONTAIN(S) ALL OF - All conditions must be met for this filter to work.
- CONTAIN(S) ANY OF - One of the conditions must be met for this filter to work.
- CONTAIN(S) NONE OF - This filter will work if any of the conditions are met.
- IS GREATER THAN - Whole number value is exceeded.
- IS LESSER THAN - Whole number value must not be exceeded.
Special Notes
- All text fields have a limit of 5000 characters.
- TLS delivery - See this KB: How TLS Delivery Occurs
- PNG - some PNG file formats are not considered image formats, but rather a compressed file format, per the definition: file format that supports lossless data compression. So if a PNG file is blocked not as an image, it may be due to being a compressed file.
- XML, ZIP, and newer Office docs - from hover over: Zip archives and XML/SGML documents - including OOXML (MS Office 2007+) AND odf (OpenOffice). These are bundled, because OOXML and ODF documents are zipped archives containing XML files and splitting the category is therefore not really possible.
- "CONTAIN" - indicates can match a string of characters. If a selection does not have 'contain,' then this will do an exact match.
- For a more detailed list of extensions please view Essentials Filters: File extensions
- To create a filter to block on a specific extension, look at: How to create a filter to block specific extensions
-
The exceptions to quarantining a message
- Spam stamp & forward is enabled
- The over-ride previous destination is set on a later rule
Migration Specialist Name
Comments