Social Security rule Help

Unanswered Question
Apr 6th, 2009

Hello all,

Not sure if this is every company, but we have pretty strict rules for SSN's. We use the C150. We have the following rule to catch the main SSN offensives and this works very well.

ssn: if (recv-listener == 'OutboundMail') AND body-contains("\\b[0-9]{9}\\b|\\b[0-9]{3}[-]+[0-9]{2}[-]+[0-9]{4}\\b|\\b[0-9]{3}[\\t]*[0-9]{2}[ \\t]*[0-9]{4}\\b|\\b[0-9]{3}[,]+[0-9]{2}[,]+[0-9]{4}\\b|\\b[0-9]{3}[;]+[0-9]{2}[;]+[0-9]{4}\\b|\\b[0-9]{3}[:]+[0-9]{2}[:]+[0-9]{4}\\b|\\b[0-9]{3}[.]+[0-9]{2}[.]+[0-9]{4}\\b|\\b[0-9]{8}\\b", 1)

But, we actually need to catch 9 digit numbers also such as 555555555. We are having a lot of problems with this rule and making it work good. So far, we have caught ticket numbers, HTML font classes, Outlook meetings, etc. I know this is going to be a tough rule, but wondering if anyone else had luck making one work. This one seems to catch 9 digit numbers if there is a letter on either side or more than a 9 digit number, but not if it has a hypen, period, comma, etc on either side.

ssn_8_or_9_digit: if (recv-listener == "OutboundMail") AND (body-contains("([^\\w=-@:]|^)\\b[0-9]{9}\\b([^\\w=-@:]|$), 1)

Please let me know if anyone has luck.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mychrislo_ironport Tue, 04/07/2009 - 03:39

In version 6.1 (or above?)

Smart Identifiers
When you use message rules that scan message content, you can use smart identifiers to detect certain patterns in the data.

Smart identifiers can detect the following patterns in data:
• Credit card numbers
• U.S. Social Security numbers
• CUSIP (Committee on Uniform Security Identification Procedures) numbers
• ABA (American Banking Association) routing numbers
To use smart identifiers in a filter, enter the following keywords in a filter rule that scans body or attachment content:

When you use a smart identifier in a filter rule, enter the smart-identifier keyword in quotes within a filter rule that scans the body or attachment file, as in the example below:


You can also use smart identifiers in content filters and as a part of content dictionaries.

Note — You cannot combine a smart identifier key word with a normal regular expression or another key word. For example the pattern *credit|*ssn would not be valid.

Note — To minimize on false positives using the *SSN smart identifier, it may be helpful to use the *ssn smart identifier along with other filter criteria. One example filter that can be used is the “only-body-contains” filter condition. This will only evaluate the expression to be true if the search string is present in all of the message body mime parts.

For example, you
could create the following filter:
SSN-nohtml: if only-body-contains(“*ssn”) { duplicatequarantine(“

whardiso Thu, 04/09/2009 - 14:15

Consecutive nine digit strings are going to be quite problematic for the exact reasons you mentioned in your original post. They'll match on everything from HTML to invoice numbers.

IronPort actually removed the match for consecutive nine digit strings from its SSN smart identifier for this exact reason.. trapping on it generates too many false positives.

I guess you could add the string in a filter that quarantines messages, but you need to be prepared to constantly monitor for false positives, which are going to be the majority of what gets caught :(


This Discussion