Included Addresses capture more events than expected.

Document ID : KB000123116
Last Modified Date : 18/12/2018
Show Technical Document Details
Introduction:

All triggers in the user policy can use lists of included, excluded, or ignored items. You specify which list is checked for matching items. Examples include lists of matching URLs, file names, email addresses, search text, and so on.

Included lists
Included items are forbidden items. If a trigger uses an Included list, any single item in the list can activate the trigger. If a trigger fails to detect any items in the Included list, the trigger does not activate. For example, if a Web page capture trigger uses an Included URL list, any URL on this list triggers a capture when the user browses to it.
Included Addresses lists also affect data lookup commands that use %sender%, %recipient%, %senderalias% or %recipientalias% variables. If a trigger uses an Included list, these data lookup commands only evaluate included email addresses.
Question:
Why are more mail items than expected included in the policy scope where "Included Addresses" are employed?
Environment:
CA Data Protection 14.x/15.x
Answer:
The "Included Addresses" filter, can include literally anything and is executed with leading and trailing wildcards. See the examples below:

Example 1: 
If you added "Hotmail.com" to the Included Addresses list, this would pickup any address parsed that included that domain

andy@hotmail.com 
John.smith@hotmail.com 

Example 2:
if you were to use simply "hotmail

It would pickup 

andy@hotmail.com 
andy@hotmail.co.uk 
andrew.smith@hotmail.com 
john.smith@hotmail.co.uk 
andy.smith0176@hotmail.ie 
hotmail@yahoo.com 
245hotmail@ca.com 

etc.