Understanding Filters
Situation |
This guide is to understand what filters are and what options are available to create filters. It answers the questions of What is a Filter? What do I need to know to create one? |
---|---|
Solution | Use this information to understand and help you know what options you have to create a filter. |
Summary
Filters define actions that should be taken automatically on inbound or outbound messages that meet defined criteria. Filters can be defined at the company, group or individual user level: filters defined at the user level are applied first, then those defined at the group level, and then those defined at the company level. By default, filters are applied in reverse chronological order, starting with the most recently created filter for that level. However, filter order within a level can be manually adjusted to control the order in which filters are applied.
Filters are made up of conditions and actions. For example, a filter that allows all emails sent from domain.com to be received would have as its condition the sender address (*@domain.com) and as its action “allow”. Similarly, a filter could be used to trigger an alert message to be sent to a specific email address if an email is received that is greater than 5000 KB: the email size is the condition and alerting a technical contact is the action.
Current character limit creating/editing filters is 4096.
Filter examples
The table below presents some uses for filters. Note that these examples are for illustration purposes only: some of them rely on package-specific features.
To... | Create... |
Prevent all users in the company from receiving attachments of a particular type. |
An inbound condition that identifies the attachment types of concern, with the action of “Quarantine”. |
Encrypt all outbound emails that include a credit card number. |
An outbound filter with a condition that looks for emails that contain a credit card number and credit card terms, with the action of “Encrypt”. Requires Data Loss Prevention and Email Encryption features to be enabled. Data Loss Prevention available in Business, Advanced and Professional packages. Email Encryption available in Advanced and Professional packages. |
Encrypt all emails with “[encrypt]” in their subject line. |
An outbound filter with a condition that looks for “[encrypt]” in the subject line, with the actions of “Encrypt” and “Strip Subject Line Encryption Terms”. Requires Email Encryption feature to be enabled. Email Encryption available in Advanced and Professional packages. |
Trigger an alert email whenever there is a package delivery notification. |
An inbound filter with a condition that looks for emails that contain a delivery tracking code, with the action of "Nothing". |
Force all emails to your server to be over TLS. |
An outbound filter with a condition that identifies emails with specific domain as the recipient address, and the action of "Nothing" and "Enforce Only TLS on SMTP Delivery". |
Filter conditions
A single filter can have multiple conditions. For example, a filter could apply to any email from a specific domain that is also over a certain size.
The first action the condition applies is to send the message to a “destination” (typically, allow, quarantine or “nothing”). The “nothing” action is used when the only action that is necessary is a secondary one, such as notifying a user. Additional actions are also available (stop processing filters, allow release only by a user with the admin role). If an email matches several filters, the destination defined for the first filter is applied, unless the Override Previous Destination option is chosen. To force the first matching filter to take effect, an action of Stop Processing Additional Filters can be used.
Condition |
Parameters |
Values |
Wildcards/inputs |
Sender Address |
|
|
Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols '*' and "?" are supported (e.g., stan?@domain.dev, *@domain.dev). |
Recipient Address |
|
|
Enter an email address or list of email addresses. Separate multiple entries using commas or semi-colons. Wildcard symbols '*' and "?" are supported (e.g., stan?@domain.dev, *@domain.dev). |
Email Size (in KB) |
|
|
Enter a whole number (e.g. 1024) |
Client IP Country |
|
|
Begin to typing a country name and a selection list with appear. Add one or more entries. |
Email Subject |
|
|
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.) |
Email Headers |
|
|
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.) |
Email Message Content |
|
|
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.) |
Raw Email (Up to 10000 Lines) |
|
|
Enter a list of words or phrases. Separate Multiple words using commas or semi-colons (e.g. click to unsubscribe, remove, secure, etc.) |
Attachment Type |
|
|
N/A |
Attachment Name |
|
|
Enter a file name or list of file names separated by commas oe semi-colons. </br> Wildcard symbols '*' and "?" are supported (e.g., stan@domain.dev, #@domain.dev). |
Smart Identifier Scan |
|
|
N/A |
Dictionary Scan |
|
|
N/A |
Proofpoint Essentials Filters does not support Dashes (Alt+0150 "–") character either inserted or copied. It will show formatting code and will not trigger. (ex. =?Windows-1252?Q?). Use Hyphens. Those are the short dashes on the keyboard "-". These will trigger in the rules.
Filter actions
Action | Parameter | Usage/example usage |
Allow | None | Skip spam scanning and allow email to be delivered. |
Quarantine | None | Direct email to quarantine. |
Nothing | None | Do not alter typical email processing. Perform standard spam scanning. |
Encrypt | None |
Direct email to encryption service. Email Encryption available in Advanced and Professional packages. |
Secondary actions
Action |
Parameter |
Usage/example usage |
Alert Tech Contact |
None |
Send email to the individual named as the Tech Contact for the company. |
Alert Specified Users |
Email address(es) of the users |
Send email to specified email addresses. |
Hide Log |
None |
Prevent email from appearing in quarantine (log) and digest and log for all users (including administrators). |
Hide Log from Non-Admin Users |
None |
Prevent email from appearing in quarantine (log) and digest for all but administrative users. |
Stop Processing Additional Filters |
None |
Prevent other filters from applying to the email. |
Require Admin Privileges to Release |
None |
Prevent quarantined emails from being released by users. Administrators are treated as end-users when they receive their quarantine digest. As a result, an administrator will be unable to release an email that has had this restriction applied. The administrator must use the Logs function to view and release such an email. |
Enforce Complete Secure SMTP Delivery |
None |
|
Ensure Only TLS on SMTP Delivery |
None |
Enforce TLS when delivering emails: if TLS not available for recipient system, the email will not be delivered. |
Expanded Overview
For an expanded overview of filters, Click here.