This month, we’re excited to announce a taster of sensitive data protection. In addition, we now handle “plus addresses” more nicely, using the primary address within Mail Assure but delivering to the tagged address.
Basic Sensitive Data Protection
We’ve added a new match type in the custom filtering rules functionality: sensitive data. This will currently check for credit card numbers; Canadian, Danish, Dutch, French, German, Irish, Italian, Malaysian, Mexican, Romanian, Spanish, Swedish, Turkish, and US national personal identifiers; Aotearoa (New Zealand) and UK health identifiers; and IBAN bank account numbers.
This can be used in the “simple” filtering rules mode, where you simply choose “sensitive data” and then select the type of data you wish to block:
This can also be used in the “advanced” version of the rules editor, where you have more flexibility on the type of match, e.g. matching bank accounts and credit cards but not personal or health identifiers;
This option is also available for Private Portal policies:
Note that we will match against the most common formats of these types of data – for example, a VISA credit card might be “4012888888881881”, or “4012-8888-8888-1881”, or “4012 8888 8888 1881”. However, it will always be possible for someone determined to bypass these checks to do so, e.g. with “my credit card is 4012 then eight eights in a row then 1881”. This functionality is intended to protect against accidental exposure rather than malicious intent.
If there’s a type of sensitive data that isn’t currently included, that’s important for you and your customers, and it has distinguishing features, please reach out to your N-able contact to let us know, or open a feature request in the Success Centre.
It’s also now possible to add rules that match against the hash of message attachments, so that you can block messages that contain specific attachments. You can use MD5, SHA-224, SHA-256, or SHA-384, or SHA-512 hashes. Note that it is relatively simple to force hash collisions with older hashing functions (e.g. MD5) – in the context of blocking mail this should not be an issue, but if you have a unusual rule like “you can only email this mailbox if you include this specific attachment” then please ensure you use a secure hashing function.
To add a rule, simply use the “attachment hash” option when adding a rule, select the type of hash you have used, and enter the hash as the expression to match. Note that this match type is currently only available when using the “advanced” version of the filtering rules.
This is only the beginning of our plans for extending the ways that Mail Assure can protect your customers’ sensitive data. We hope your enjoy the taster, and find it useful, and we will have much more to announce in this area in the future.
Sub-addressing, or Plus-addressing
Sub-addressing, often called “plus-addressing” after the common practice of using a “+” as the separating character, allows addition of a ‘tag’ to a mailbox. For example, the mailbox email@example.com could be used as firstname.lastname@example.org, email@example.com, and firstname.lastname@example.org, as well as the plain email@example.com. Mail systems that understand plus addressing (such as Microsoft 365, Google, and others) will deliver the mail to the primary firstname.lastname@example.org mailbox and make the tag available, e.g. for filing or sorting purposes.
Mail Assure will now log, archive, and quarantine plus addresses under the primary mailbox name, and this is also the mailbox that will appear in usage calculations. Delivery will still be done to the full address, so that the tag is available for use at the destination server.
At the moment, the only character available for sub-addressing is a “+”, as this is the most widely used variant. If you have a need for an alternative sub-addressing character, or need sub-addressing disabled for your account, please contact support with more information about your requirements.
Since the last major release, we’ve also fixed the following issues:
- MMA-7121, #2440. Some strings in the app were not being translated even though translated versions were available.
- 63029aa. Fixed a bug introduced to the Software API api_set_sender_whitelist method when setting the allow list to non-default values that would cause the API call to fail.
- MMA-7230, #2482. We now send the Splunk test event to the specified index.
- MMA-7221, #4134. On-demand Email Scout Reports properly reflect the ‘use standard branding’ toggle.
- MMA-6718, #265. Fixed an issue viewing some forwarded messages in Private Portal.
- MMA-7231, #4119. Fix an issue with sending some events to Splunk.
- MMA-7244, #4140. Fixed an issue where custom filtering rules using the language match create in “simple mode” would not properly work.
- MMA-6685, #2511. Fixed an issue viewing the mailboxes page when logged in as a non-ASCII domain user.
We’ve also made the following improvements:
- MMA-6797, #65. Improved the layout of the Private Portal app on smaller screens (e.g. phones and tablets).
- MMA-5724, #101. The quarantine and queue message links on the dashboard will now open the message (on the log search page) rather than just take you to the log search page with the appropriate filters created.
- MMA-6643, #102. Add the ability to resend the invitation email to technicians that have not yet activated their account. Note that if the email has been blocked somewhere this is unlikely to resolve it, but may e.g. bring it to the top of a junk folder.
- MMA-5579, #104. Add links to add a new admin or new domain to the admin and domain drop-down menus on the dashboard.
- MMA-7176, #2460. Restored the additional information on the “Custom Logging” (formerly “Remote Syslog Feed”) page that explains how to use templates.
- MMA-7129, #2439. When editing Email Scout Report templates, it’s now simpler to add the “view()” method with different sets of actions (in the resulting Email Scout Reports) enabled.
- MMA-6643, #102. Add the ability to re-send the invitation email on the Manage Technicians page.
- MMA-7196, #57. The timezone selector in the Add Domain wizard supports searching.
- MMA-6447, #67. The ‘reply all’ button in Private Portal is only shown when there are multiple recipients.
- #2473. Improved speed of loading the login page by caching duplicate calls.
- MMA-7196, #107. The time zone selector in the Add Domain wizard now allows searching.
- Updated German, Spanish, French, Dutch, and Brazilian Portuguese translations.
- #2506. The “g=*” string has been removed from the suggested DKIM DNS record. This is the default value (so does not change behaviour), and the latest RFC recommends to not use it any more. Thanks to Alrik van Eijkelenborg for the suggestion – please reach out with your suggestions in the Success Centre!