Sender Lists & Email Filters

Go back to Proofpoint Essentials guides or Main Page.

Using Filter Policies can achieve the same objective as using sender lists (i.e., allow or quarantine an email). However, using sender lists provides organizations and users with a much simpler user experience when identifying messages from safe or blocked senders.

Sender lists allows you to define senders (someone@example.com) or domains (example.com) that you wish to either receive or block email from.

Login to the Proofpoint Panel

To add an entry to the Safe/Blocked sender list:

1. Click on the Settings tab.
2. Click on the Sender Lists tab.
3. Type in an SMTP address (user@example.com)or domain (example.com)
4. You can add more than 1 entry by separating then with a comma or semi-colon.
5. Click Save

To remove an entry from the Safe/Blocked sender list:

1. Click on the Settings tab.
2. Click on the Sender Lists tab.
3. Highlight the entry you wish remove and hit delete using your keyboard
4. Click Save.

Filter policies define actions that are to be taken automatically on inbound or outbound messages that meet defined conditions. Filters can be defined at the company, group, or individual user level. Filters are applied in this order:

• First, those defined at the user level
• Then, those defined at the group level
• Finally, those defined at the company level

By default, filters are applied in reverse chronological order, starting with the most recently created filter for the level. However, filter order within a level can be manually adjusted.

Filters are made up of three elements: scope, a condition and an action. For example, a filter that allows all emails sent by domain.com to be received would have its scope set to the organization, its condition set to the sender address (*@domain.com), and its action set to “Allow”. A filter used to trigger an alert message to be sent to a specific email address if an email that is larger than 5000 KB is received would have its condition set to the email size and its action set to alerting a technical contact.

Note that these examples are for illustration purposes only: some of them rely on package-specific features.

To...	Create...
Prevent all users in the company from receiving attachments of a particular type.	An inbound filter with a condition that identifies the attachment types of concern, with the action of “Quarantine”.
Encrypt all outbound emails that include a credit card number.	An outbound filter with a condition that looks for emails that contain a credit card number, with the action of “Encrypt”.
Encrypt all emails with “[encrypt]” in their subject line.	An outbound filter with a condition that looks for “[encrypt]” in the subject line, with the actions of “Encrypt” and “Strip Subject Line Encryption Terms”.
Trigger an alert email whenever there is a package delivery notification.	An inbound filter with a condition that looks for emails that contain a delivery tracking code, with the action of "Nothing".
Force all emails arriving at your server to be sent over TLS.	An outbound filter with a condition that identifies emails with specific domain as the recipient address, and the action of "Nothing" and "Enforce Only TLS on SMTP Delivery".

Filter policies are associated with one direction of email processing: either inbound (emails sent to users who belong to an organization) or outbound (emails sent by users who belong to an organization). Typically, the objective of the filter is different depending on its direction.

Inbound filter policies are typically used to block incoming emails, for example:

• Quarantine all incoming emails that contain any form of executable attachment.
• Quarantine all incoming emails that were sent by a specific sender.

Outbound filter policies are typically used to act on select outgoing emails, for example:

• Encrypt all emails that contain [encrypt] in the subject line.
• Encrypt all emails that contain a credit card number in the email's body.

The "encrypt" action is only available to organizations where the Email Encryption feature is enabled. Smart Identifiers, such as credit card numbers, are only available to organizations where the Data Loss Prevention (DLP) feature is enabled.

A filter policy can be applied to an entire organization (affecting all users that belong to the organization) or a single user or group of users. For example, a filter policy could:

• Quarantine all emails that are sent to an organization if they contain an executable attachment (organization-level filter policy).
• Tag an email subject line with URGENT and alert the on-call IT resource if an email is sent to any member of the group "IT_team" and with any of the terms "support", "help", or "assistance" in the subject line (group-level filter policy).
• Quarantine all emails sent to a specific user from a specific email address  newsletter@idontwantanymore.com (user-level policy).

When creating a filter, you must choose both a condition (e.g. sender, recipient, content) and an action (e.g. quarantine, allow). A filter can include more than one condition (e.g. sender and content and size) and more than one action (e.g. quarantine and alert the tech contact) for a filter policy. The following conditions are available.

Condition	Description	Operator	Supported format/value / format	Multiple values allowed?	Example(s)
Sender Address	The email address from which the email was sent.	IS, IS NOT	text (email address or domain)	Yes	some.user@domain.com, *@domain2.com
Recipient Address	The email address that the email is sent to.	IS, IS NOT	text (email address or domain)	Yes	some.user@domain.com, *@domain2.com
Email Size (in KB)	The size of the email, including attachments.	IS GREATER THAN, IS LESS THAN	integer	No	1000
Client IP Country	The originating IP address of the email.	IS, IS NOT	text; choose a pre-populated value based on search	Yes	China, Iran
Email Subject	The subject line of the email.	IS , IS NOT, CONTAINS	text	No	This is a subject
Email Headers	The headers of the email.	CONTAIN(S) ALL OF, CONTAIN(S) SOME OF, CONTAIN(S) NONE OF	text	No	X-ThreatSim-Header
Email Message Content	The email body content (excluding content n attachments).	CONTAIN(S) ALL OF, CONTAIN(S) SOME OF, CONTAIN(S) NONE OF	text	yes	somecontent1, somecontent2, someconent3
Raw Email	The email body content and headers (excluding content in attachments).	CONTAIN(S) ALL OF, CONTAIN(S) SOME OF, CONTAIN(S) NONE OF	text	yes	somecontent1, somecontent2, someconent3
Attachment Type	The type of attachment contained in an email.	IS, IS NOT	text; choose from a pre-populated list of options.	Yes	N/A - Select from list of supported attachment types.
Attachment Name	The name of the attachment contained in an email.	IS, IS NOT	text	Yes	mhooper-personal-file.docx
Smart Identifier Scan	A list of smart identifiers (i.e., credit card). Only for customers with the Data Loss Prevention (DLP) feature enabled.	CONTAIN(S) ANY OF	text, choose from a pre-populated list of options.	Yes	N/A - Select from list of smart identifiers.
Dictionary Scan	A list of dictionary terms (i.e., credit card terms). Only for customers with the Data Loss Prevention (DLP) feature enabled.	CONTAIN(S) ANY OF	text; choose from a pre-populated list of options.	Yes	N/A - Select from list of supported dictionary terms

Action	Description
Quarantine	Do not deliver the email to its intended recipient. The email is quarantined.
Allow	Allow the email to by-pass spam and bulk scans. The email is not quarantined.
Nothing	Allow the system to determine the primary action (deliver or quarantine) and add additional (secondary) actions as specified in the filter.

Available Secondary Actions

Action	Description
Alert Sender	Sends an email notification to the sender.
Alert Recipient	Sends an email notification to the recipient.
Alert Tech Contact	Sends an email notification to the tech contact assigned to the organization.
Require Admin Privileges to Release	Allows only administrators to release email from quarantine .
Hide Log	Hides log entries (in Email logs) for the email.
Hide Log from Non-Admin Users	Shows log entries (in Email Logs) for the email only to administrators.
Enforce Completely Secure SMTP Delivery	Forces email delivery to operate over TLS without an unencrypted fallback. A valid certificate for the recipient domain is required.
Enforce Only TLS on SMTP Delivery	Forces email delivery to operate over TLS without an unencrypted fallback.
Stop Processing Additional Filters	Applies no additional filters to the email.
Tag Subject Line	Inserts a tag into the email's subject line.

1. Under Security Settings, click Email, then Filter Policies.
2. Click New Filter.
3. On either tab (Inbound or Outbound), enter a name for the filter and then select the direction of messages to which the filter should be applied: inbound or outbound.
4. Click Continue.
   • The Filter Settings page opens.
5. Select the scope of the filter, that is, whether it should apply to the whole company/organization, just a group, or just to the selected individual user.
6. From the "If" list, select the condition that must be met in order for the filter to be applied (i.e., sender address), then select the operator to apply to the condition (i.e., IS, IS NOT).
7. In the box below the "If" fields, enter the value(s) to be evaluated.
8. Optionally, click Add Another Condition (Optional) and repeat the steps above.

Multiple conditions are evaluated with an AND operator. For example, the condition is only met if the sender address includes "domain.com" and the subject line contain(s) "newsletter.

1. In the "Do" list, select the action that should be taken if the condition is met (Quarantine, Allow, or Nothing).
2. Optionally, add secondary actions.
3. In the right panel, enter a Description of the filter. (You can also change the filter name here.)
4. Click Save.

Filters are evaluated against emails in the order in which the folders are listed on the filters page. You can change the order within a specific scope section (i.e., organization) if necessary.

1. Check the filter you wish to change the processing order for.
2. Click (up) to move the filter up in priority or (down) to move the icon lower in priority.
3. Repeat until the filter is in the desired priority.

Filter priority can only be adjusted within its designated scope (i.e., organization). You cannot change the priority of a filter with a group scope over an organization filter.

1. Click the filter name you wish to edit.
   • Alternatively, click  (edit) icon next to the filter you wish to edit.
2. Adjust the filter as needed.

1. Click the   (toggle) next to the filter you wish to disable or enable.
   • Alternatively, check the checkbox next to each filter you wish to enable or disable, then click Enable Filter or Disable Filter.
2. Click OK when prompted.

1. Click the (delete) next to the filter you wish to delete.
   • Alternatively, check the checkbox next to each filter you wish to delete, then click Delete Filter.
2. Click OK when prompted.

By default, all filters are shown. To view just filters assigned to the organization, to groups or to users:

1. Select the Scope dropdown (in the top right corner).
2. Choose the Scope you wish to view filters for.

Inbound and Outbound filters are displayed in different views.

To view all inbound filters:

1. Click the Inbound tab at the top of the filters page.

To view all outbound filters:

1. Click the Outbound tab at the top of the filters page.

To expand or collapse ALL filter policies:

1. Click Expand All/Collapse All.

To expand or collapse filters policies for a specific scope:

1. Click the (expand) or  (collapse) next to the filter summary.

To view a filters usage:

1. Click the name of the filter you wish view usage for.
2. Usage stats are displayed in the bottom right hand side of the screen.
3. Usage stats data is updated daily.