Knowledgebase
Essentials Filters: Expanded overview

Admin Guide Statement:

You can approve or block specific senders and recipients, based on the email address, domain, subdomain, attachment type, email size, words in the email or header, source country or destination country. The Anti-Spam service detects spam by applying hundreds of rules to each message that passes through. It blocks obvious spam outright, and diverts what is possibly spam to the Quarantine. If you discover that some quarantined messages are actually good mail that just look like spam, add the senders of those messages to an appropriate approved-senders list. If a number of quarantined senders are from the same domain, such as the same company, add the domain to an appropriate approved senders list. Messages from those senders are then delivered to users in your organisation, regardless of the spam-like content. To avoid the risk of increasing spam traffic, approve only specific senders whose messages might look like spam, rather than approving all of your known senders. Also, avoid approving too many domains, as that can increase the risk of spoofing.

As of the May 2015 release, the Sender List tab was introduced. This replaces the filtering for a blocked and approved senders. In addition, filters have now been split so it is apparent if a rule is designated for an inbound or outbound email. In addition, we have taken into account the heirarchal order of operations how filters are fired off between end-user, group, or organization.

There are 3 steps to creating an Email Filter, where the last step is an optional section:

Step 1: Start creation

  • Click new filter, name it, and choose if it is an inbound or outbound filter.

Step 2: Scope (applies only if you are not an end-user)

  • The scope is who this rule applies for. There can be various selections
    • Entire organization
    • Single user
    • Groups

Step 3: Select IF Conditions.

  • Sender Address – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Recipient Address – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Email Size (KB) – A specified size of an email including the attachment to an exact whole number.
  • Client IP Country – Country list; input a country (? – we need the library file, or source here)
  • Email Subject – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Email Headers – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Email Message Content – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Raw Email (Up To 10000 Lines) – string input, list of keywords separated by comma (,) or semi-colon (;)
  • Attachment Type – choose from pre-defined types (see the list of files)
  • Attachment Name – create a rule based upon a file name/type that is not part of the pre-defined type.
  • Smart Identifier Scan - See linked KB for this DLP product
  • Dictionary Scan - See linked KB for this DLP product

Step 4: Rule Narrative

  • See below for the full list of narratives to choose from.

Step 5: Add another Condition (for IF)

  • Repeat steps 3 and 4 for adding more than 1 condition

Step 5: Select Do Condition

  • Quarantine – put in the quarantine (see below for exception)
  • Allow – does not scan message
  • Nothing – scan message as normal; and can add additional actions below
  • Override Previous Destination - If selected, this option will ignore the destination that another filter may have applied to this message.

Step 6: Add another Condition (for DO)

  • Alert Tech contact - an email alert would be relayed to the Tech contact address
  • Alert Specified Users - Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols
  • Hide log – Will hide the email from logs/digest from ALL users (except for Proofpoint Support)
  • Hide log from Non-admin Users - Will hide the email from logs/digest from all end-users
  • Stop processiong additional filters - Will stop processing any additional filters
  • Require admin privileges to release - Requires an administrator to release the email
  • Enforce completely secure SMTP delivery – Requires a certificate for TLS delivery (Certificate cannot be self-signed or contain errors, and must match the domain exactly on the certificate, excluding a wild card certifcate)
  • Enforce only TLS on SMTP delivery – Does not require a certificate

Override Previous Destination - If selected,this option will ignore the destination that another filter may have applied to this message.This override means we can stop another rule's DO action from performing.

 

Rule Narrative

Upon selecting a condition, the rule narrative will populate based upon the condition.

RULE

  • Sender Address – Choose the condition you want to match the sender address to, then enter the string of characters.
    • IS
    • IS NOT
  • Recipient Address – Choose the condition you want to match the recipient address to match against, then enter the string of character.
    • IS
    • IS NOT
  • Email Size (KB) – The size of the message is either greater or less than a specified whole number.
    • IS GREATER THAN
    • IS LESSER THAN
  • Client IP Country – The conditions will compare against the listed country inputted.
    • IS
    • IS NOT
  • Email Subject – Choose the condition you want the subject to match against, then enter the string. (This is an EXACT match only.)
    • IS
    • IS NOT
  • Email Headers – Choose the condition you want the header to compare with, then enter the string.
    • CONTAIN(S) ALL OF
    • CONTAIN(S) ANY OF
    • CONTAIN(S) NONE OF
  • Email Message Content – Choose the condition you want the message body to compare with, then enter the string.
    • CONTAIN(S) ALL OF
    • CONTAIN(S) ANY OF
    • CONTAIN(S) NONE OF
  • Raw Email (Up To 10000 Lines) – Choose the condition you want the message body to compare with, then enter the string.
    • CONTAIN(S) ALL OF
    • CONTAIN(S) ANY OF
    • CONTAIN(S) NONE OF
  • Attachment Type – Choose what attachment condition you want
    • IS
    • IS NOT
    • Manage (Attachment types)
      • Windows executable components, installers and other vulnerabilities
        • MS executable – *.exe
        • MS binary libraries – *.dll
        • MS executable scrpits – *.bat
        • Visual Basic files – *.vb
        • Other vulnerable MS files – *.ms_vul
        • MS/Installshield Cabinet files - *.cab
      • Other executable components and installers
        • Other executables - *.unix_exe
        • UNIX-like libraries - *.unix_dll
        • Java binaries - *.java
        • OS X DMG files - *.dmg
        • OS X install scripts - *.mpkg
        • Debian/RedHat packages - *.debrpm
      • Office documents and archives
        • MS Office, pre-2007 - *.ms_of
        • XML, Zip, and newer Office documents - *.zipxml
        • MS Access - *.ms_ac
        • Other *Office files - *.doc_other
        • Rich Text Format files - *.rtf
        • Tape archives - *.ar_tape
        • Compressed files - *.ar_file
        • Other compressed archives - *.ar_other
        • PDF files - *.pdf
        • PostScript - *.ps
        • TeX DVI files - *.dvi
        • LaTeX documents - *.lat
      • Audio/Visual
        • Macromedia Flash data - *.flash
        • Images - *.images
        • Vector graphics - *.vgfx
        • Windows Metafiles - *.wmf
        • Cursors and icons - *.ani
        • Multimedia/video containers - *.mmedia
        • MPEG audio/video - *.mpeg
        • RealNetworks audio/video - *.real
        • Windows Media audio - *.wma
        • FLAC audio - *.flac
        • AIFF audio - *.aiff
        • WAVE audio - *.wav
        • MIDI audio - *.midi
        • Any ‘audio/’ MIME type - *m_au
        • Any ‘image/’ MIME type - *.m_im
        • Any ‘video/’ MIME type - *.m_vi
      • Other
        • PGP encrypted data - *.pgp
        • Undecipherable attachments - *.undeciph
  • Attachment Name – Choose the condition then enter the string of what you want to proceed with
    • IS
    • IS NOT
  • Smart Identifier Scan - See linked KB for this DLP product
  • Dictionary Scan - See linked KB for this DLP product

Rule choices defined:

  • IS - Single case condition, and filter will only act if this condition is met.
  • IS NOT - Single case condition, and filter will only act if this condition is met.
  • IS ANY OF - Multiple case condition; filter will act when any condition listed is met
  • IS NONE OF - Multiple case coniditon; filter will act if one of the conditions listed is met.
  • CONTAIN(S) ALL OF - All conditions must be met for this filter to work.
  • CONTAIN(S) ANY OF - One of the conditions must be met for this filter to work.
  • CONTAIN(S) NONE OF - This filter will work if any of the conditions are met.
  • IS GREATER THAN - Whole number value is exceeded.
  • IS LESSER THAN - Whole number value must not be exceeded.

 

 

Special Notes

  • In May 2015, multi-condition rules were added.
    • For the IF portion, both conditions must be met for the rule to continue, i.e, per the AND.
    • For the DO portion, once the IF conditon is met, we will perform both actions per the AND.
  • All text fields have a limit of 5000 characters.
  • PNG - some PNG file formats are not considered image formats, but rather a compressed file format, per the definition: file format that supports lossless data compression. So if a PNG file is blocked not as an image, it may be due to being a compressed file.
  • XML, ZIP, and newer Office docs - from hover over: Zip archives and XML/SGML documents - including OOXML (MS Office 2007+) AND odf (OpenOffice). These are bundled, because OOXML and ODF documents are zipped archives containing XML files and splitting the category is therefore not really possible.
  • "CONTAIN" - indicates can match a string of characteres. If a selection does not have 'contain,' then this will do an exact match.
  • For a more detailed list of extensions please view Essentials Filters: File extensions
  • To create a filter on a specific extention, look at: How to create a  filter for specific extensions
  • The exceptions to quarantining a message
(17 vote(s))
This article was helpful
This article was not helpful