Data Loss Prevention

Hello

 Does any of you already succeed in defining a rule or and exception to match on email with only one recipient ?

 Regards

I think you can create a Content Matches Regular Expression rule to only detect the Envelope field.

Hi;

You can create a recipient pattern policy.

As follow:

Hi;

Do you have chance to test.

I used a simple regex to look at addresses in the envelop.

(Cc|To):\s?<?[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}>?\s

This is effective if there is only one To: or One Cc: (the \s provides this), however, if there is one To: and one Cc: then this will still detect as a true positive.

An alternative is to create one policy with one rule:

To:\s?<?[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}>?\s

and exclude:

Cc:\s?<?[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}>?\s

You then need to do the same for a single Cc: recipient.

----------Enhancement Request--------

Symantec does not keep it's results in memory and is therefore incapable of identifying unique instances of content. 

In my opinion this is the number one change required in the content detection methods or rather the scoring used by SDLP.  Actually SDLP does not do any scoring at all.  It only counts matches.  And a match is not stored in memory so during evaluation it cannot determine unique instances.  Other vendors have the ability to determine if a rule detects unique instance or single instance and this is a very important method for improving accuracy.

Hi CIMILE,

I think stephan is asking for only single email ID detection not more than that. He just wnated to detect a recipeint addressed a single mail ID if there is two recipient it will ignore likewise. your attached snapshot says that atleast 1 recipeint match but it will be by default.

Please let us know your views on this.