Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
labiomedit
New Contributor

Created on ‎06-28-2017 10:38 AM

Creating content filtering or DLP rule to block emails contain DEA

I tried to use DLP profile for alerting and blocking outbound emails which contains DEA numbers without success, it works great in office365 but after moving to on premise with fortimail it doesn't detect those emails, even my testing emails which detect with office365.

I wonder if I can create custom dictionary for DEA. the pattern is clear but there is no instruction how to config it in fortimail.

does any one use it?

 

eventually I need to detect HIPAA and DEA for outbound emails.

thank you

Labels:
6261
0 Kudos
5 REPLIES 5
labiomedit
New Contributor

Created on ‎06-28-2017 02:21 PM

I manage to create custom dictionary for DEA content filtering profile,

\b[a-zA-Z]{2}\d{7}$

this is the pattern for DEA.

so the content filtering is detecting DEA numbers and doing the action to stop them.

the strange thing that fortimail standard compliance doesn't work!!!!!!!!

you think DLP will be stronger than content filtering but I was wrong

2846
0 Kudos
Paul_S
Contributor
In response to labiomedit

Created on ‎06-29-2017 07:45 AM

Did you open a support ticket? What Fortimail version? any screenshots to share?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
2846
0 Kudos
labiomedit
New Contributor
In response to Paul_S

Created on ‎06-29-2017 02:13 PM

Yes I open a ticket and they say also their testing is not detecting the DEA numbers so I need to continue with content filtering and he will update me.

2846
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to labiomedit

Created on ‎07-02-2017 05:48 AM

being picky here: the correct regex for a DEA ID would be "\b[a-zA-Z][a-zA-Z9]\d{7}".

Firstly, the second letter from the left is a '9' (not a letter) in case the registrant is using a business address.

Secondly, the '$' at the end would prevent recognizing IDs which are followed by '-xxxxx', the supervised individual's ID. Cf. https://en.wikipedia.org/wiki/DEA_number

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2846
0 Kudos
labiomedit
New Contributor
In response to ede_pfau

Created on ‎07-05-2017 10:54 AM

thank you for adding it, I just start working with it.

2846
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.