Hosted Email Security 9.0 Admin Guide

Policy & Compliance

SonicWall <product name>’s Policy Management feature enables you to write policies to filter messages and their contents as they enter or exit your organization. Policies can be defined only by an administrator. Typical use of policies include capturing messages that contain certain business terms, such as trademarked product names, company intellectual property, and dangerous file attachments.

This chapter contains the following sections:

Policy Management and Mail Threats

As SonicWall <product name> evaluates email, it uses the following precedence order when evaluating threats in email messages:

Likely Virus
Policy Filters
Likely Phishing
Likely Spam

For example, if a message is both a virus and a spam, the message will be categorized as a virus since virus is higher in precedence than spam. If SonicWall <product name> determines that the message is not any of the above threats, it is delivered to the destination server.

Policy Management plays a key role in evaluating the email threats by filtering email based on message contents and attachments. You can create policy filters in which you specify an action or actions you want <short product name> to take on messages that meet the conditions you define. For example, you can specify words to search for—a product term, for example—in content, senders, or other parts of the email. After filtering for specified characteristics, you can choose from a list of actions to apply to the message and its attachments.

NOTE: Any of the policies configured in the Policy section take precedence over any entries made in the Allowed List.


The Policy & Compliance > Filters page is where you manage preconfigured files and where you define new filters for both inbound and outbound paths.

NOTE: Policies created on the inbound path can not be shared with the outbound path and vice versa. See Managing Filters for examples of adding inbound and outbound policies.

Adding Filters

With SonicWall’s Policy Management module, you can filter email as it enters or exits your organization.

To create and manage policy filters:
Navigate to the Policy & Compliance > Filters page.
Select the Inbound or Outbound tab to create filters for inbound or outbound email messages.
Click the Add New Filter button. The Add Filter window displays.

NOTE: The fields in the window change based on the action you choose.
The Enable this Filter check box is checked by default. Uncheck the box to create rules that do not go into effect immediately.
Choose whether the filter matches All of the conditions or Any of the conditions
All—Causes email to be filtered when all of the filter conditions apply (logical AND)
Any—Causes email to be filtered when any of the conditions apply (logical OR)
Choose the parts of the message to filter. See the following table for more information:



Spam/Phishing Judgment

The server’s assessment of a categorized message threat

Likely Spoof Judgment


Address Book



Filter by the sender’s name


Filter by the names in the To, Cc, or Bcc fields


Filter by words in the subject


Filter based on information in the body of the email

Subject or Body

Filter based on information in the subject and body of the email

Subject, Body, or Attachments

Filter based on information in the subject, body, and attachments of the email

Message headers

Filter by the RFC822 information in the message header fields, which includes information like the return path, date, message ID, received from, and other information

Attachment name

Filter attachments by name

Attachment contents

Filter based on information in the email attachments

Attachment Type

Filter based on type of attachment

Country Code

Filter based on sender’s country code

Size of message

Filter messages based on the size of the message

Number of recipients

Filter messages based on the number of recipients

Source IP

Filter messages based on the sender’s IP address

Single Message Header

Filter messages containing a single message header

Originating IP

Filter messages based on the IP address from where the message was sent

All Good Messages

filter all messages that are judged to be good.

Choose the matching operation in the Matching field. The matching options vary based on the filtering option you selected.
Enter the words or phrase that you want to filter in the Search Value text box. Select the appropriate check boxes.
Match Case—Filters a word or words sensitive to upper and lower case.
Intelligent Attachment Matching—Filters attachment names, such as .exe or .zip.
Disguised Text Identification—Filters disguised words through the sequence of its letters, for example Vi@gr@.
NOTE: Disguised Text Identification cannot be used together with Match Case and can be selected only for Body and Subject message parts.
Click the plus sign (+) if you want to add another layer of filtering.

You can add up to 20 filters. Filters are similar to rock sifters: Each additional filter adds further screens that test email for additional conditions.

Choose the response action from the Action drop down list. The following table describes the available response actions:



Permanently delete

The email message is permanently deleted and no further processing occurs in any SonicWall <product name> module occurs. This option does not allow the user to review the email and can cause good email to be lost.

Store in Junk Box

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. The user has the option of unjunking the email.

Store in Approval Box

The email message is stored in the Approval Box. It will not be delivered until an administrator approves it for delivery.

Bounce back to sender

The message is returned to sender with an optional message indicating that it was not deliverable.

Deliver and bounce

The message is delivered to the recipient and is bounced back to the sender with an optional message.

Deliver and skip Spam and Phishing Analysis

The message is delivered without spam or phishing analysis.

Route to

The message is routed to the specified email address. The message can be routed to only one email address.

Deliver and route to

Deliver to the recipients and also route to the specified email address. The message can be routed to only one email address

Tag subject with

The subject of the email is tagged with a the specified term.


Strip all attachments

Remove all the attachments from the email.


Append text to message

The specified text is appended to the message body.

Issue email notification

Sends an email notification to the recipients of the email that triggered the rule.

Add X-header to message

Adds an X-header to the email.

Remove X-header from message

Removes an X-header from an email.

Route to IP

The message is routed to the specified IP address. The message can be routed to only one IP address.

Deliver and Route to IP

Deliver to the recipients and also route to the specified IP address. The message can be routed to only one IP address.

Select the Stop processing policy filters check box when no additional filtering is required on a message. This check box is automatically selected and grayed out when you have selected a terminal action.
If additional actions need to be performed on the same message, select the plus sign (+) to the right. You cannot add the same action more than once to a specific filter rule. As a result, once an action has been selected, it is not available in the drop down list for further selection within the current filter rule.
Type a descriptive name in the Filter Name text box.
Select a policy group you want to apply this filter to. By default, All Groups will be selected and this filter applies to all email messages.
Click the Save This Filter button.

Managing Filters

The Filters page lists all the filters created in the system for the Inbound and Outbound path. They are processed in the order they are listed.

From this view, you can Add New Filter, change the order of filters, Edit or Delete filters. Filters that have been enabled are indicated with a green tick mark.

To change a filter that has been saved:
On the Policy & Compliance > Filters page, select the Inbound or Outbound tab (wherever the filter is located).
Select the Edit button adjacent to the filter to be changed.
Change any of the filter conditions.
Select Save This Filter.
To delete a filter:
Select the Delete button adjacent to the filter.
Confirm your choice when asked.
To change the order of the filters:
Drag and drop the filter in the order you prefer.

Policy Groups

In some cases, you may want to associate a policy filter to a group of users rather than the entire organization. For example, you may want a policy filter to be applied to all incoming email messages sent to your sales team and no one else in your organization.

If you want policy filters you create to be applied to particular group of users, you first have to create policy groups from LDAP. Policy groups, once created, can be associated with either inbound or outbound policies.

Adding a New Policy Group

To add a new policy group:
Navigate to the Policy & Compliance > Policy Groups page.
Select the Add Group button.
From the Final all groups pull down menu, select one of three methods to locate a desired group:
equal to (fast)—search using the actual name
starting with (medium)—search using the first few characters
containing (slow)—search using a substring of characters
Type a search string in the text box.
Once the list of group names is displayed, select the check box of the group you wish to add.
Click on the Add Group button.

Removing a Policy Group

To remove a group, check the group(s) to be removed and select the Remove Group button. You can view the members of a group by selecting that group and clicking on the List Group Members button.

If a user is present in more than one group, that user is treated to be a member of the group that is listed highest in the list. You can change group ordering, by clicking on the arrows to the left of listed groups. To change the order in which groups are listed, use the up and down arrow icons to the left of the groups.

For example in the above illustration, if jdoe@company.com is listed under both SalesEngineering and Sales, the policy filter that is associated with SalesEngineering will be applied to email messages for jdoe@company.com.


The Policy & Compliance > Compliance module is accessible through the optional purchase of a Compliance Subscription License Key and enables organizations to make efforts in ensuring that email complies with relevant regulations and/or corporate policies.

When the Compliance Module license expires, filters that were created during the valid license period continue to work, taking advantage of the advanced features. However, the administrator cannot add any new filters to use licensed features until a license to the module is obtained.

This section contains the following topics:


A dictionary is a convenient collection of set of words or phrases that you can group together for use in policy filters. A dictionary can be specified as a search value in a policy filter. Dictionaries can be created or modified either manually or by importing from a file in the file system.

A predefined dictionary is a group of words or phrases all belonging to a specific theme such as medical or financial terms, which can be used as a database of words that filters can look for. By default, Hosted Email Security provides pre-installed dictionaries:

Financial Terms
Medical Drug Names

These dictionaries may be modified by clicking the Edit button. For more information on adding or importing dictionaries, see the following topics:

Add New Dictionary

To manually create a dictionary:
Click on the Add New Dictionary button.
Type the new dictionary name in the Dictionary name field.
Enter a word or phrase under Dictionary Terms and select Add Term. Repeat for all the terms you want to add to the dictionary.
Click Save Dictionary. You are automatically returned to the Policy & Compliance > Compliance > Dictionaries module.
To add new terms to a dictionary:
Find the dictionary you want to update and click on Edit.
Enter a word or phrase under Dictionary Terms and select Add Term. Repeat for all the terms you want to add to the dictionary.
Click Save Dictionary. You are automatically returned to the Policy & Compliance > Compliance > Dictionaries module.

Import Dictionary

To import a dictionary from a file on the file system:
Click on the Import Dictionary button.
Choose to name a new dictionary or to replace an existing dictionary by selecting the appropriate button next to your selection.
Find the import file by selecting Choose File and browsing to the correct location. The imported file should contain one word or phrase per line and each line should be separate by a carriage return.
Click the Import button.

Delete a Dictionary or Term

To delete a dictionary:
Find the dictionary in the list.
Click the Delete button to delete the entire dictionary.
To delete terms from a dictionary:
Find the dictionary you want to change and click on Edit.
Check the box by the words or phrases you want deleted. Terms are listed alphabetically so you can find them easily.
Scroll to the bottom of the list and select Delete Selected Terms.
Select Save Dictionary.

Approval Boxes

An Approval Box is a list of stored email messages that are waiting for an administrator to take action. They are not delivered until an administrator approves them for delivery. The View Approval Box drop down list allows you to have two different views of Approval Boxes: The Manager view and the individual approval box view.

To see a list of the Approval Boxes that have been created, select Approval Box Manager from the pull-down menu in the View box from this list. The Approval Box Manager view allows you to edit or delete existing Approval Boxes, and to create new Approval Boxes.

To see the contents of a particular Approval Box, choose the desired Approval Box name from the View Approval Box for drop down list. This page allows you to search the messages stored in that Approval Box and to take action on any of those messages.

NOTE: Only users who have administrative rights can see the contents of an approval box. See Users for managing user rights and privileges.
To store messages in an Approval Box:
Create the Approval Box by clicking the Add New Approval Box button in the Policy & Compliance > Compliance Module > Approval Boxes page.

Enter the Name of Approval Box. This name appears in the page that shows the list of approval boxes and in the drop down list that allows you to select the detailed view of individual approval boxes.
From the Default action pull-down menu, select an action to be taken. This action is automatically taken on the message waiting for approval if the administrator does not respond to the notification within the period of time specified.


No action is taken. The email remains in the Approval Box.

Approve & Deliver

The email is passed to the recipient.


The email is deleted.

Bounce Back to Sender

The email is automatically bounced back to the sender and removed from the Approval Box after the specified length of time elapses.

Enter a list of Notification recipients in the text box. Separate multiple email addresses with a carriage return.
NOTE: Make sure that the email recipients you enter are users that have administrative rights to the Hosted Email Security. If they do not have administrative access, they will not be able to view the approval boxes when they receive email notification.
Select a Frequency of notifications value from the drop down list for this approval box. Approval box notification emails for this approval box will be sent according to the schedule you choose here.
Write the Email subject line for this notification.
Click the Apply Changes button to save your changes to this approval box notification.
Go to the Policy & Compliance > Filters page and create a policy filter that has the action defined as Store in Approval Box. Then, choose the desired Approval Box for email messages caught by that filter.

Record ID Definitions

A Record ID Definition can be used to detect specific IDs described by a series of generic patterns. The Policy & Compliance > Compliance Module > Record ID Definitions section allows the administrator to predefine a cluster or clusters of letters and numbers into logical sets of groups such as social security numbers, patient medical record numbers, or credit card numbers. When these patterns are discovered, compliance actions can be taken to ensure that the organization's privacy and security regulations are met. The filter stops processing a message after it finds the first matching Record ID Definition.

By default, SonicWall <product name> provides the following Record ID Definitions pre-installed:

ABA Bank Routing Number
Canadian Social Security Number
Credit Card Number
Phone Number
Social Security Number
Zip Code

To add a new Record ID Definition:
Navigate to the Policy & Compliance > Compliance > Record ID Definitions page.
Click the Add New Record ID Definition button. The following window displays:

Enter a name in the Record Definition Name field.
Enter a term, including correct spacing, dashes or other symbols, in the Record Definition Patterns field. Use the key to set values to the sets of characters.
Click Add Pattern to add the term to the Record ID. Repeat this step for each Record ID needed.
Click Save Definition when finished. The new Record ID Definition displays on the Policy & Compliance > Compliance Module > Record ID Definitions screen.