How can I see WHY a message was encrypted?

Unanswered Question
Jun 8th, 2009
User Badges:

On our Postx box, I used to be able to see specifically what caused a message to become encrypted (for example a social security number). It would report what keyword(s) triggered the encryption.

We just replaced the Postx with an IronPort C150 (love it!) and I would like to be able to get the same info. I see that I can go to Monitor -> Content Filters to see which users had encrypted mail, then I can use Message tracking to see details including that the message WAS encrypted, however I would like to see the details of WHAT triggered the content filter.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kyerramr Tue, 06/09/2009 - 05:06
User Badges:

A way to see what triggered the filter (in your case encryption filter) is to set up one of the actions to your filter to duplicate quarantine, this would send a copy of the message to system quarantine and follow the rest of the path (other actions). This way a copy of the message is sent to the system quarantine and viewing the message in system quarantine would should what content of the message was matched by the filter.

Hope this helps!

-Kishore

steven_geerts Tue, 06/09/2009 - 23:31
User Badges:

I have no experience with the Ironport encryption solutions at all but a possible solution might be to add a second action to your policy that writes the required info into an X- header.
if you enable logging for this header you will see the results in your log files.

I can imagine you do not want the information in the X-header to be public (which is the nature of X- headers).
There are two possible solutions for that.
1) Use numeric codes for the data in the X-header. Only you have the matching table to see what code points to what message filter or filer action.

2) Play around with policies and message filters. They are always executed in the same order (which I do not recall at the moment) if you make sure the first of the two does the detection and adds the header, you can use the second to strip the header out of the message.

Quite complex but possible for sure!

Good luck
Steven

Actions

This Discussion