Please enable JavaScript to view this site.

SecurityGateway for Email Servers v10.5

Navigation: Security

Data Leak Prevention

Scroll Prev Top Next More

Based on the Message Content Filtering system, Data Leak Prevention can be used to create filtering rules to look for messages containing specific kinds of sensitive information, and then prevent those messages from being delivered. There are many global rules included for you, to search for data such as: credit card numbers, bank account info, passport numbers, and the like. When you enable one of these rules, by default it will only apply to outbound messages, and it will send a message to the Administrative Quarantine when it matches the rule. The included rules can be managed and modified like like any other rules.

Use this page to manage your Data Leak Prevention Rules. From here you can create, edit, and delete your rules, and you can quickly enable or disable any rule by clicking a single checkbox in its entry. Just like Message Content Filtering rules, Data Leak Prevention rules can be used to designate certain criteria by which SecurityGateway will test each message it processes. Then, when a message matches a rule, a number of actions can be taken. You can create rules to check for the existence of specific headers, check for certain senders or recipients, search for specific text in a header or the message body, test against the size of the message, and many other things. When a message matches a rule's test, the rule can cause the messages to be refused, deleted, quarantined, copied or redirected to a different address, and more.

The Data Leak Prevention rules list has three columns: Enabled, Description, and Preview. The Enabled column contains a checkbox for each entry, which can be used to quickly enable/disable the rule. The Description column contains the Rule Name, which you designate when creating a rule. The Preview column contains an icon for each rule, which will display a tooltip about the rule when you hover your pointer over it. The tooltip contains the actual Sieve Script that was generated for the rule when it was created with the Data Leak Prevention Rule Editor.

The toolbar at the top of the page contains the following fours options:

New

Click New to open the Data Leak Prevention Rule Editor, used for creating a new rule.

Edit

Select a rule and then click Edit on the toolbar to open it in the Data Leak Prevention Rule Editor. Alternatively, you can simply double-click a rule to open it.

Delete

To delete one or more rules, select the entries from the list and then click Delete. A box will open asking you to confirm the decision to delete them. You can select multiple entries by using the Ctrl and Shift keys.

For Domain:

Use the For Domain: drop-down list box to choose which rules to display in the list. You can display Global rules, which apply to all domains, or you can display rules for specific domains.

Data Leak Prevention Rule Editor

The Data Leak Prevention Rule Editor is used to create new rules or edit existing ones. To create a new rule, click New on the Data Leak Prevention Rules toolbar and then step through the options on the editor from top to bottom, one option at a time. When you are finished, click Save and Close to create the new rule.

This rule is enabled

This box must be checked to create a new rule. For existing rules, you can uncheck the box to disable the rule. Disabled rules will not be used by SecurityGateway when testing messages. This option corresponds to the Enabled column in the Data Leak Prevention Rules list.

For domain:

Use this option to choose the domain to which this rule will apply. If "--Global--" is selected, all messages to or from all of your SecurityGateway domains will be tested against the rule. If a specific domain is selected then only messages to or from that specific domain will be tested against it.

Rule name:

Enter a descriptive name for your rule here. This options corresponds to the Description column in the Data Leak Prevention Rules list.

Apply this rule if:

All conditions are met (AND)

Choose this option if you want a message to match a rule ONLY when it meets ALL of the test conditions you supply below. This is performing a logical "AND" on the test conditions. In other words, "if condition A is true AND condition B is true, then perform the specified action."

Any conditions are met (OR)

Choose this option if you want a message to match a rule when it meets ANY of the test conditions you supply below. This is performing a logical "OR" on the test conditions. In other words, "if condition A is true OR condition B is true, then perform the specified action."

Conditions:

This box will display all of the test conditions that you have supplied for a rule, followed by the action that will be taken if a message matches the rule. You can edit any condition by clicking that condition in the box. You can remove any condition by clicking "(Remove)" next to the condition. Use the "Click here to add a condition for this rule" link below the box to add a new condition.

Click here to add a condition for this rule

Click the "Click here to add a condition for this rule" link below the Conditions box to add a condition. After adding a condition, you can add additional conditions by clicking that link again. For information on the different types of conditions you can add, see Rule Conditions below.

Action:

Choose the action from this list that you wish to be performed when a message matches the rule's conditions. If additional data is required for a selected action, a corresponding control will appear below the action for you to enter that data. For information on the different types of actions that can be performed, see Actions below. After you have set all of the conditions for your rule and selected an action, click Save and Close to close the editor and add the new rule to the list.

Rule Conditions

When you wish to add a test condition to a rule, you will use the "Click here to add a condition for this rule" link to open the Rule Conditions screen. When using this screen to create a test condition, you must first specify the message attribute, or item, that you wish to test or compare. Then, you must specify how to test or compare that item: does the item contain certain text, is it exactly equal to certain text, does a certain header exist, and so on. There are several items that can be tested and numerous ways to test them. After selecting an item and test method and entering any required information, click Save and Close to add the test condition to your rule.

Item to compare:

These are the items you can test in a message.

MAIL (From)—This test uses the value passed in the SMTP "MAIL From" command. This is who the message is from, but it will not necessarily be the same information that is contained in the message's From header. Sometimes the From header will contain additional or different information. In addition to the nine common ways to test or compare items (see below), this item can also be compared using the "Is local user" and "Is not local user" tests.

RCPT (To)—This test uses the value passed in the SMTP "RCPT To" command. This is who the message is to, but it will not necessarily be the same information that is contained in the message's To header. Sometimes the To header will contain additional or different information. In addition to the nine common ways to test or compare items (see below), this item can also be compared using the "Is local user" and "Is not local user" tests.

MAIL and RCPT—Choose this item to use both the SMTP "MAIL From" and SMTP "RCPT To" commands to determine whether a message is or is not an inbound, outbound, or an internal message (see "Additional test methods" below).

IP—Select this item to test against the IP address of the sending server or client.

HeaderSelect this item if you wish to specify a header to compare. When selected, a Name of header option will appear for you to specify which header to use for this test condition. In addition to the nine common ways to test items, this item can also be compared using the "Header exists" and "Header does not exist" tests. NOTE: when specifying the Name of header, do not use a colon in the header name. For example, use "From" as the Name of header, not "From:" if you wish to compare against the From header.

Subject—This is the message's Subject header. Select this item if you wish to test against the subject of the message.

Body—Choose Body if you wish to use the message body as the test item to compare.

Body or Subject—Choose this item if you wish create a rule that will be true if either the message Body or Subject matches the rule's criteria. This item is provided to simplify rule creation, because it is effectively the same as creating a rule with two separate "OR" statements, one to search the Body and the other to search the Subject for the same text.

How to compare:

This list contains the methods that can be used to test or compare the item selected in the Item to compare option above. There are numerous ways to test that are common to all but one of the items. The MAIL and RCPT item has a unique set of comparators, and Mail(From), RCPT(To), and Header have additional ways to test.

Common test methods:

Each of these test methods compares the item selected in Item to compare above to the Search value that you will specify below the How to compare method selected. All of these types of comparison are available for all of the Item to compare options above, except for MAIL and RCPT. It has a unique set of comparators.

Contains—When this method is selected, the comparison will match or be "True" if the Search value is a substring or part of the Item to compare designated above. For example, if you select MAIL (From) as the item to compare, then choose Contains as the method of comparison, with "example.com" as the Search value, then any message from an address containing "example.com" will match the condition.

Does not contain—This comparison will match or be "True" if the Search value is NOT a substring or part of the Item to compare designated above. For example, if you select MAIL(From) as the item to compare, then choose Does not contain as the method of comparison, with "@example.com" as the Search value, then every message EXCEPT those from an address at "example.com" will match the condition.

Contains the word—This comparator is similar to "contains" but will only match if there is a word boundary anchor proceeding and following the string. This avoids the need to manually create a regular expression in the format of: \b(word1|word2|word3)\b. For example, a rule searching for a message body that Contains the word "cat," would only match if the message contained the whole word "cat." It would not match simply because the body happened to contain the word catfish or certificate.

Does not contain the word—This comparator is similar to "Does not contain" but will only match if there is no occurrence of the string with a word boundary anchor proceeding and following it. For example, a rule searching for a message body that Does not contain the word "cat" would match any message that did not contain the whole word "cat," even if it did contain the words catfish or certificate.

Is equal to—This method is similar to Contains above, except that the Search value must match the value of the Item to compare exactly, rather than simply be a part of that value. For example, if you select IP as the item to compare, then choose Is equal to as the method of comparison, with "192.168.0.1" as the Search value, then ONLY messages coming from that exact IP address will match the condition.

Is not equal to—This type of comparison is the opposite of the previous method. If the value of the Item to compare is NOT exactly the same as the Search value, then the comparison will be true. For example, if you select IP as the item to compare, then choose Is not equal to as the method of comparison, with "192.168.0.1" as the Search value, then every message EXCEPT those coming from that exact IP address will match the condition.

Starts with—Use this type of comparison if you wish to consider a condition to be true when the Search value matches the beginning of the value of the Item to compare designated above. For example, if you select Subject as the item to compare and "[allstaff]" as the Search value, then all messages with a Subject line beginning with "[allstaff]" will match the condition.

Does not start with—This is the opposite of the previous comparison type. Use this option if you wish to consider a condition to be true when the Search value DOES NOT match the beginning of the value of the Item to compare designated above. For example, if you select Subject as the item to compare and "[allstaff]" as the Search value, then all messages EXCEPT those with a Subject line beginning with "[allstaff]" will match the condition.

Ends with—This comparison means the condition will match whenever the value of the Item to compare ends with the Search value. For example, if you select RCPT (To) as the item to compare and Ends with as the comparison method, with ".cn" as the Search value, then ALL messages to anyone with an address ending with ".cn" will match the condition.

Does not end with—This comparison means the condition will match whenever the value of the Item to compare DOES NOT end with the Search value. For example, if you select RCPT (To) as the item to compare and Ends with as the comparison method, with ".cn" as the Search value, then all messages EXCEPT those to addresses ending with ".cn" will match the condition.

Matches regular expression—Choose this option if you wish to use a Regular Expression when comparing the item selected in the Item to compare option above.

Additional test methods:

Is local user—This comparison method is only available for the MAIL(From) and RCPT(TO) options above. Choose this option when you want the condition to match or be "True" when the address is a local SecurityGateway user. For example, if you select MAIL(From) as the Item to compare, then only messages from local users will match the condition.

Is not local user—This comparison method is only available for the MAIL(From) and RCPT(TO) options above. Choose this option when you want the condition to match or be "True" when the address is NOT a local SecurityGateway user. For example, if you select MAIL(From) as the Item to compare, then all messages from remote users will match the condition; messages from local users will NOT match.

Header exists—This option is only available when have selected Header as the Item to compare. When you select this option and specify the Name of header in the option provided, the condition will match only if the specified header exists in the message. For example, if you specify "X-My-Custom-Header" as the Name of header, then all messages with that header will match the condition. Any message without that header will not match.

Header does not exist—This option is only available when have selected Header as the Item to compare. When you select this option and specify the Name of header in the option provided, the condition will match only if the specified header DOES NOT exist in the message. For example, if you specify "X-My-Custom-Header" as the Name of header, then all messages WITHOUT that header will match the condition. Any message with that header will not match.

Message is/is not [Inbound|Outbound|Internal]—These comparators are only available for the MAIL and RCPT item. Both the SMTP "MAIL From" and SMTP "RCPT To" values are used to determine whether a message is or is not an inbound, outbound, or an internal message.

Inbound—Message is to a local user and is not from a local user of the same domain.

Outbound—Message is from a local user and is not to a local user of the same domain.

InternalMessage is to and from a local user of the same domain.

Actions

After setting all of the conditions for your rule, use the Action option on the Rule Editor to choose the action that will be taken when a message matches the rule's conditions. There are seven actions to choose from:

Reject—Choose this action if you wish to reject a message that matches the conditions of the rule. When this option is selected, an SMTP Response option will appear below the action so that you can specify a text response to send when the message is rejected. For example, if you used, "We don't want your spam!" in the SMTP Response option, SecurityGateway will send, "550 We don't want your spam!" during the SMTP process when it rejects a message that matches the rule.

Discard—This action causes a message to be discarded when it matches the rule's conditions. Unlike the Reject action, this option does not send an SMTP response, nor does it send a delivery failure message; the message is simply deleted.

QuarantineWhen this action is selected, messages matching the rule's conditions will be placed into the recipient's Quarantine when the recipient is a local user. If the recipient is a remote user, the message will be placed into the Administrative Quarantine instead.

Administrative Quarantine—Choose this action if you wish to send a message to the Administrative Quarantine when it matches the rule's conditions.

RedirectUsing this action redirects the message to a different address when it matches the rules's conditions. A To option is provided below the Action so that you can specify the email address to which to redirect the message. Redirected messages will NOT be delivered to the original recipient...they are rerouted to the address specified in the action.

Copy—Use this option if you wish to copy a message to an additional email address. A To option is provided below the Action so that you can specify the additional email address to which to send the message. This is similar to Redirect except that both the original recipient and the address specified in the Action will receive a copy of the message. If you wish to copy a message to multiple addresses, make an additional rule for each address.

Send Note (Alert)—Use this action to send a note or alert email message to someone when a message matches the rule's conditions. When this action is selected, options are provided for you to specify the note's To, From, Subject, and Message Text (the body of the message). There are a number of macros that you can use in the note to include certain information dynamically. When SecurityGateway encounters a macro in the note's text, it will replace that macro with its corresponding value. You can use the following macros:

$SENDER$—This is replaced by the SMTP MAIL From address that was used for the message that matched the rule. For example, "sender@example.net".

$SENDERMAILBOX$—This macro is replaced by only the mailbox portion of the email address that was passed in the SMTP MAIL From command. For example, "sender" from the "sender@example.net" address.

$SENDERDOMAIN$—This macro is replaced by only the domain portion of the email address that was passed in the SMTP MAIL From command. For example, "example.net" from the "sender@example.net" address.

$RECIPIENT$—This is replaced by the SMTP RCPT To address that was used for the message that matched the rule. For example, "recipient@example.com"..

$RECIPIENTMAILBOX$—This macro is replaced by only the mailbox portion of the email address that was passed in the SMTP RCPT To command. For example, "recipient" from the "recipient@example.com" address.

$RECIPIENTDOMAIN$—This macro is replaced by only the domain portion of the email address that was passed in the SMTP RCPT To command. For example, "example.com" from the "recipient@example.com" address.

$SUBJECT$—This macro is replaced by the contents of the matched message's Subject header.

$MESSAGEID$—This is replaced by value of the message's Message-ID header.

$DATESTAMP$—This macro is replaced by the message's Date.

$CURRENTTIME$—This is replaced by the current time when SecurityGateway creates the note.

$HELONAME$—This is the HELO domain that was passed during the SMTP process when the matched message was received by SecurityGateway.

Add to message score—Use this action if you wish to add a specific number of points to the message score when a message matches the rule's conditions.

Send as Registered Email (RMail)—Use this action if you wish to use one or more of RMail's Registered Email features when a message matches the rule's conditions.

Encrypt—Choose this option if you want to encrypt the message.

Track & Prove—Choose this option if use RMail's track and prove features.

E-Sign—Choose this option if you wish to use RMail's E-Sign feature for electronically signing documents.

Flag message for REQUIRETLS—Indicates the message should use RequireTLS.

Send as secure web message—Choose this action if you wish to use SecurityGateway's Secure Messaging web portal system to send a message instead of using traditional mail delivery.

Regular Expressions

The Data Leak Prevention Rule Conditions support "Matches regular expression" as a comparison method. Regular Expressions (regexp) is a versatile system that makes it possible for you to search not only for specific text strings, but also for text patterns. A regexp text pattern consists of a combination of special characters known as metacharacters and alphanumeric text characters, or "literals" (i.e. abc, 123, and so on). The pattern is used to match against text strings—with the result of the match being either successful or not.

SecurityGateway's regexps implementation uses the PERL Compatible Regular Expression (PCRE) library. You can find more information on this implementation of regexps at: http://www.pcre.org/ and http://perldoc.perl.org/perlre.html.

For a comprehensive look at regular expressions, see: Mastering Regular Expressions, Third Edition published by O'Reilly Media, Inc.

Metacharacters

Metacharacters are special characters that have specific functions and uses within regular expressions. The regexp implementation within SecurityGateway's allows the following metacharacters:

\ | () [] ^ $ * + ? .

Metacharacter

Description

\

When used before a metacharacter, the backslash ( "\" ) causes the metacharacter to be treated as a literal character. This is necessary if you want the regular expression to search for one of the special characters that are used as metacharacters. For example, to search for "+" your expressions must include "\+".

|

The alternation character (also called "or" or "bar") is used when you want either expression on the side of the character to match the target string. The regexp "abc|xyz" will match any occurrence of either "abc" or "xyz" when searching a text string.

[...]

A set of characters contained in brackets ("[" and "]") means that any character in the set may match the searched text string. A dash ("-") between characters in the brackets denotes a range of characters. For example, searching the string "abc" with the regexp "[a-z]" will yield three matches: "a," "b, " and "c. " Using the expression "[az]" will yield only one match: "a."

^

Denotes the beginning of the line. In the target string, "abc ab a" the expression "^a" will yield one match—the first character in the target string. The regexp "^ab" will also yield one match—the first two characters in the target string.

[^...]

The caret ("^") immediately following the left-bracket ("[") has a different meaning. It is used to exclude the remaining characters within brackets from matching the target string. The expression "[^0-9]" indicates that the target character should not be a digit.

(...)

The parenthesis affects the order of pattern evaluation, and also serves as a tagged expression that can be used in search and replace expressions.

The results of a search with a regular expression are kept temporarily and can be used in the replace expression to build a new expression. In the replace expression, you can include a "&" or "\0" character, which will be replaced by the sub-string found by the regular expression during the search. So, if the search expression "a(bcd)e" finds a sub-string match, then a replace expression of "123-&-123" or "123-\0-123" will replace the matched text with "123-abcde-123".

Similarly, you can also use the special characters "\1," "\2," "\3," and so on in the replace expression. These characters will be replaced only be the results of the tagged expression instead of the entire sub-string match. The number following the backslash denotes which tagged expression you wish to reference (in the case of a regexp containing more than one tagged expression). For example, if your search expression is "(123)(456)" and your replace expression is "a-\2-b-\1" then a matching sub-string will be replaced with "a-456-b-123" whereas a replace expression of "a-\0-b" will be replaced with "a-123456-b"

$

The dollar sign ("$") denotes the end of the line. In the text string, "13 321 123" the expression "3$" will yield one match—the last character in the string. The regexp "123$" will also yield one match—the last three characters in the target string.

*

The asterisk ("*") quantifier indicates that the character to its left must match zero or more occurrences of the character in a row. Thus, "1*abc" will match the text "111abc" and "abc."

+

Similar to the asterisk quantifier, the "+" quantifier indicates that the character to its left must match one or more occurrences of the character in a row. Thus, "1+abc" will match the text "111abc" but not "abc."

?

The question mark ("?") quantifier indicates that the character to its left must match zero or one times. Thus, "1*abc" will match the text "abc," and it will match the "1abc" portion of "111abc."

.

The period or dot (".") metacharacter will match any other character. Thus ".+abc" will match "123456abc," and "a.c" will match "aac," abc," acc," and so on.