Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=data-control-rule-create

Create a Data control rule

Add rules to Data control policies to control sensitive information in emails. These rules describe which information to look for and what to do when the rule is matched.

To create a new rule, edit an existing policy, or create a new policy:

  1. Go to My Products > Email Protection > Policies.
  2. Click an existing Data control policy to edit it. To create a new one, click Add Policy. See Data control policy.
  3. Click Settings.
  4. Click either Inbound or Outbound to set the direction of emails this rule checks.
  5. Click Add rule.
  6. Set a rule name and description.

  7. Choose a rule type.

    You can use templates provided by Sophos to control common types of sensitive information. You can also customize rules using content control lists (CCLs), message attributes, or keywords and phrases.

  8. Click Next.

    Add items appears.

  9. In Add Items, you choose the items the rule applies to.

    For most rule types, you can use lists provided by Sophos or build custom lists specific to your needs.

    You can choose to search any combination of the following locations: the subject, body, attachment file content, or attachment file name.

    If you choose Message Attributes (MA), continue to the next step.

    If you choose Attachment file types (AFT), we recommend you use the default Sophos list.

    If you use a custom list, you can choose to filter by File extensions or File group.

    If you filter by File extensions, you can select individual file extensions. You can't choose a file group. You can also add a comma-separated list of file extensions to filter against in Include extensions. The rule matches against file extensions, not the file types we detect.

    If you filter by File groups, you can select groups of file types from the list. You can't choose individual file extensions. The rule matches against the file types we detect, not extensions.

    If you choose Keywords (KW), you can enter the strings to search for or import keywords.

    We look for keywords in the following places, in this order: the subject, body, attachment name, and attachment of an email. Where we look depends on the selection you make in Search in.

    When we find a keyword in one of these places, we stop looking in that place, and start looking in the next place. We only report the first instance of a keyword in each location.

    You can choose to filter words and phrases or use a regular expression. If you want to add keywords using regular expressions within the context of Sophos Email DLP rules, you can use up to 50 characters. Your regular expressions must comply with the Perl regular expression syntax from the Boost library. See Perl syntax.

    Restriction

    For performance reasons, we don't support regular expressions that contain groups. A group is a sequence of characters enclosed in parentheses.

    You can test your regular expression with BRegexTest, a Windows executable available from Google Code. See Google Code Archive: bregextest.

  10. Click Next.

    Message Attributes appears.

  11. Select message attributes you want to filter messages by.

    Choose from the following:

    • Header: You can check if the header value matches a regular expression, contains a substring, equals a value, or if the header exists or not.
    • Source: You can add IP addresses and domains to compare them with.
    • Size: You can set size limits for email attachments, the whole email, or both. Attachment size limits apply to individual attachments, not the total size of all the attachments.

    If you use a message attribute rule with another rule type, the match is against both types. For example, if you choose message attribute for attachment size, and a keyword rule type, the rule is only matched if the attachment size limit is met and the keyword is found.

    We calculate attachment size using the email's MIME-encoding. We don't use the size of the raw files. This means attachment file sizes are often reported as larger than the actual file. You must take this into account when filtering on attachment size. See Calculating email attachment file sizes.

  12. Click Next.

    If you're creating an inbound rule, External senders appears. For an outbound rule, External recipients appears.

    This only applies at the rule level. You can also use external users and domains at the policy level. See External users and domains.

  13. Add email addresses or domains that you want to include or exclude from the rule. The default is Include all.

    You can add individual items or import a list.

    Inclusions and exclusions are absolute. For example if you include a domain, the rule applies to all emails using that domain name, it doesn't apply to those using any other domain. Or if you exclude an email address, the rule applies to all emails except those using that email address.

    Note

    When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.

  14. Click Next.

    Choose action appears.

  15. Choose the actions to take when the rule is matched, who to notify, and additional options.

    Note

    Options change depending on the rule type and direction, either Inbound or Outbound.

    For example, if you select Inbound, the Bounce action doesn't appear in the list of actions. For outbound rules, you can override the default encryption method set in Global Settings > Email Encryption.

    The actions list can include the following options:

    • Quarantine: Sophos Email quarantines the message for review.

    • Encrypt: Sophos Email encrypts the message to secure it.

    • Strip attachments: The original message is quarantined, and a copy is delivered to the recipient without the attachment. You can manage the attachments from Quarantined Messages. See Quarantined Messages.

    • Modify Address: You can specify the To, CC, or BCC recipients of the message.

      Note

      • If you only specify CC or BCC recipients, then the rule will send the message to the original recipients and the addresses you specified in CC and BCC.
      • If you specify the To recipient, then the rule will send the message to the specified addresses instead of sending it to the original recipient.
      • If you select Envelope only, then the MIME headers aren’t modified, and the message is sent only to the specified To address.

    • Redirect message: The original message is forwarded as an attachment to the redirection email address.

    • Reroute message: You can add the domain or IP address, and port number, of a destination you want to route messages to.

      Note

      The rerouting action only applies to messages received and delivered by Sophos Email Gateway. For Sophos Email Mailflow messages, you must configure routing in Microsoft 365.

    • Bounce: Sophos Email notifies the sender that it couldn't deliver the message.

    • Modify Header: You can choose from the following actions:

      • Add header: Enter a header element and a value. The header element is added to the email.
      • Edit header value: Enter a header and a value. The value of the first entry of the header is replaced with the new value.
      • Strip header: Enter a header element. All headers matching the header element are removed.

    • Delete: Sophos Email deletes the message.

    • Log: Sophos Email records data control policy violations without taking further action.

    • Tag a subject line: You can add a subject line to the message subject.

    • Notify recipients: You can send notifications to the recipients.

    • Notify administrators: You must select the email address of an administrator to notify. If you delete the mailbox later, Sophos Email continues to send notifications to it. You must change the address, or choose a different action.

You can combine different rule types by selecting actions that allow processing to continue to the next rule. If you select an action that allows this, Continue processing appears and you can turn it on.

To complete the configuration, do as follows:

  1. Click Filter messages with this rule to turn the rule on or off.
  2. Click Done.

When the rule is turned on, the messages matched by the rule can be viewed in the Data control summary and Message History reports.