About Filters

You can approve or block specific senders and recipients, based on the email address, domain, subdomain, attachment type, email size, words in the email or header, source country or destination country.

The Anti-Spam service detects spam by applying hundreds of rules to each message that passes through. It blocks obvious spam outright and diverts what is possibly spam to the Quarantine. If you discover that some quarantined messages are actually good mail that just looks like spam, add the senders of those messages to an appropriate approved-senders list. If a number of quarantined senders are from the same domain, such as the same company, add the domain to an appropriate approved senders list. Messages from those senders are then delivered to users in your organization, regardless of the spam-like content.

To avoid the risk of increasing spam traffic, approve only specific senders whose messages might look like spam, rather than approving all of your known senders. Also, avoid approving too many domains, as that can increase the risk of spoofing.

Step 1: Start creation

• Look under ‘Security Settings‘ and click Filter Policies Click New Filter, name it, and choose if it is an inbound or outbound filter.

Step 2: Scope (applies only if you are not an end-user)

What does the rule apply to? There can be various selections:

• Entire organization
• Groups
• Single user

Step 3: Select IF Conditions

• Sender Address – string input, list of keywords separated by comma (,) or semi-colon (;)
• Recipient Address – string input, list of keywords separated by comma (,) or semi-colon (;)
• Email Size (KB) – A specified size of an email including the attachment to an exact whole number.
• Client IP Country – Country list; input a country (? – we need the library file, or source here)
• Email Subject – string input, list of keywords separated by comma (,) or semi-colon (;)
• Email Headers – string input, list of keywords separated by comma (,) or semi-colon (;)
• Email Message Content – string input, list of keywords separated by comma (,) or semi-colon (;)
• Raw Email (Up To 10000 Lines) – string input, list of keywords separated by comma (,) or semi-colon (;)
• Attachment Type – choose from pre-defined types (need library of file names; we should be able to add to this list)
• Attachment Name – create a rule based upon a file name/type that is not part of the pre-defined type.
• Smart Identifier Scan – See linked KB for this DLP product
• Dictionary Scan – See linked KB for this DLP product

Step 4: Rule Narrative

• See below for the full list of narratives to choose from.

Step 5: Add another Condition (for IF)

• Repeat steps 3 and 4 for adding more than 1 condition

Step 5: Select Do Condition

• Quarantine – put in the quarantine (see below for exception)
• Allow – does not scan message
• Nothing – scan message as normal; and can add additional actions below
• Override the Previous Destination – If selected, this option will ignore the destination that another filter may have applied to this message.

Step 6: Add another Condition (for DO)

• Alert Tech contact – an email alert would be relayed to the Tech contact address
• Alert Specified Users – Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols
• Hide log – Will hide the email from logs/digest from ALL users (except for EMP Cloud Support)
• Hide log from Non-admin Users – Will hide the email from logs/digest from all end-users
• Stop processing additional filters – Will stop processing any additional filters
• Require admin privileges to release – Requires an administrator to release the email
• Enforce completely secure SMTP delivery – Requires a certificate for TLS delivery (Certificate cannot be self-signed or contain errors)
• Enforce only TLS on SMTP delivery – Does not require a certificate

Override the Previous Destination – If selected, this option will ignore the destination that another filter may have applied to this message. This override means we can stop another rule’s DO action from performing.